(no title)
ilammy | 2 years ago
* Commit references the tree. If you sign the entire commit object – which is what you want, not leaving a way to change something about the commit without invalidating the signature – you sign the file tree as you saw it and implicitly all its history. Might as well sign the tag then.
* Signatures separable from the commit have a benefit of allowing someone other than the author and committer at the time to certify authenticity of the file tree. For example, if the key needs to be rotated later, you can slap a new signature over the previous one.
* Signing every single commit is tedious, so you're bound to get it automated at some point. Now your signatures are worth less because your keys are always around to indiscriminately, automatically sign whatever.
thrwwycbr|2 years ago
The process of signing a commit is used in a kind of wrong manner, I suppose, because of your mentioned points.
The "view of the file tree as you saw it" basically implies that signed commits aren't worth anything if the code is refactored or changed later, which inevitably it will.
Using tags as a reference point, however, is the idea of snapshotting a mutually agreed state between multiple parties working on the project.
I think you could take this a little further, and use it to implement a Q&A workflow, where e.g. a code review team and a testing team should sign a specific snapshot as "working as we saw it", and that could integrate very well if you e.g. have a semantic version epoche of your project.
reissbaker|2 years ago
> It's bound to get automated at some point
Definitely — it already is automated. Git can sign commits using your SSH key automatically, and assuming you have something like ssh-agent running, you aren't going to need to enter your password or tap your Yubikey or whatever every time. That doesn't mean it's worthless for application development. While the developer machine being compromised is still a risk, it still mitigates man-in-the-middle attacks where your repository is compromised, or a pipeline betweeen your repo and the build machines are compromised, and an attacker can spoof commits. With signed commits, the attack wouldn't work: you don't need a chain of trust in between build servers and dev machines, you just need to trust the dev machines and the build servers. Everything in between is unable to modify the tree without getting caught.
Signing tags doesn't provide extra security, either; if the dev machine is compromised, ultimately the dev who is signing the commits can't trust their own machine to tell them what's on disk and what they're signing. And if the build server is compromised, you can't trust it to ignore unsigned commits, or commits where the signatures don't match.
bpfrh|2 years ago
Key would then by not on your device so extraction would be difficult or impossible.
You would need to touch the key to grant the sign request which would prevent any signing without you noticing.
ilammy|2 years ago
I do git rebase -i often. Do I want to touch my yubikey exactly 37 times for the 37 commits amended, or do I want to touch it once and just trust the software for the next N seconds to sign only these commits and not anything else?
Now, if I'm the verifier, do I trust the signer to do it properly? Or the half their commits are actually made by their cat and automatically signed?
Signing a tag is a relatively rare and very deliberate action. A more secure approach is less likely to impact convenience, reducing the chance of compromising security because it was inconvenient.
tiziano88|2 years ago
Already__Taken|2 years ago
thrwwycbr|2 years ago
It was about the laziness of humans not actually reading the code thoroughly when they sign it, and therefore negating the point of ledging/signing the state of the project.