[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-mailutils] git tagging best practices

From: Daniel Kahn Gillmor
Subject: [bug-mailutils] git tagging best practices
Date: Thu, 14 Mar 2019 12:25:55 -0400

Hi Sergey--

I notice that you're in the habit of making cryptographically-signed
tags for recent GNU mailutils releases.  Thank you for doing that!

I wanted to recommend that you prefix your tag messages with "GNU
Mailutils" for future tags.  This defends against a possible obscure
attack against any other repositories of softwre that you might be
responsible for.  (and it would defend GNU Mailutils against
impersonation attacks from any other such project as well)

So, rather than doing:

    git tag -s -m 'Version 3.7' release-3.7

instead, please do:

    git tag -s -m 'GNU Mailutils Version 3.7' release-3.7

The issue is that the thing that is being tagged is not clearly
recognizable as GNU Mailutils -- it's just something signed, by OpenPGP
certificate 0x325F650C4C2B6AD58807327A3602B07F55D0C732.  People might
evaluate it as a GNU Mailutils because of where they happen to find the
git repository (e.g. the URL they chose), but the same git repository
can be replicated to some other location, and the signed tag will show
up there as well.

By ensuring that your git tag messages are specific to the project that
you're signing, someone verifying your signed tag on *any* repository
can defend against this attack by ensuring not only your signature, but
also that the signing message is related to the project that they care

All the best,


PS Note that the *name* of the tag itself is not covered by the
   cryptographic signature (it is possible to rename tags without
   modifying their cryptographic validity).  This is why I recommend
   using the tag message to contain this information rather than the tag
   name itself.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]