Re: [Libreboot] Git clone authentication

[Guilhem Moulin]

On Fri, 19 Aug 2016 at 17:41:51 -0700, koanhead wrote:
> Other than that, if you clone the repository in a manner vulnerable to
> MITM, you should still be able to verify its checksum against the one
> that's published. As far as I can tell from perusing
> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global sum
> published for the whole tree.

One way around this is to sign tags (using ‘git tag -su keyid tagname’).
Then, assuming a trust path to the signer's OpenPGP key — and the second
preimage-resistance of SHA-1, anyone could verify the integrity of the
tree (including committed files and commit messages) from the tag all the
way down.

For someone who's HEAD isn't on tag, the same technique applies with
more overhead as it requires individual commits to be signed (with ‘git
commit -Skeyid’).

Cheers,
-- 
Guilhem.

signature.asc
Description: PGP signature