diff options
| author | EuAndreh <eu@euandre.org> | 2025-03-31 21:51:40 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2025-03-31 21:51:40 -0300 |
| commit | 570ec471d1605318aeefb030cd78682ae442235b (patch) | |
| tree | 51e17eabe37c6689f8799b55e6875c3480329a2c /src/content/tils/2021/07/23/git-tls-gpg.adoc | |
| parent | Makefile, mkdeps.sh: Derive index.html and feed.xml from more static "sortdat... (diff) | |
| download | euandre.org-570ec471d1605318aeefb030cd78682ae442235b.tar.gz euandre.org-570ec471d1605318aeefb030cd78682ae442235b.tar.xz | |
src/content/: Update all files left to asciidoc
Diffstat (limited to 'src/content/tils/2021/07/23/git-tls-gpg.adoc')
| -rw-r--r-- | src/content/tils/2021/07/23/git-tls-gpg.adoc | 43 |
1 files changed, 16 insertions, 27 deletions
diff --git a/src/content/tils/2021/07/23/git-tls-gpg.adoc b/src/content/tils/2021/07/23/git-tls-gpg.adoc index fd42c1c..8fe86c6 100644 --- a/src/content/tils/2021/07/23/git-tls-gpg.adoc +++ b/src/content/tils/2021/07/23/git-tls-gpg.adoc @@ -1,27 +1,21 @@ ---- += GPG verification of Git repositories without TLS -title: GPG verification of Git repositories without TLS - -date: 2021-07-23 - -layout: post - -lang: en - -ref: gpg-verification-of-git-repositories-without-tls - ---- +:empty: +:git-protocol: https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_git_protocol +:remembering: https://euandreh.xyz/remembering/ For online Git repositories that use the [Git Protocol] for serving code, you can can use GPG to handle authentication, if you have the committer's public key. Here's how I'd verify that I've cloned an authentic version of -[remembering][remembering][^not-available]: +{remembering}[remembering]footnote:not-available[ + Funnily enough, not available anymore via the Git Protocol, now only with + HTTPS. +]: -[^not-available]: Funnily enough, not available anymore via the Git Protocol, now only with HTTPS. - -```shell +[source,shell] +---- $ wget -qO- https://euandre.org/public.asc | gpg --import - gpg: clef 81F90EC3CD356060 : « EuAndreh <eu@euandre.org> » n'est pas modifiée gpg: Quantité totale traitée : 1 @@ -32,7 +26,7 @@ $ git verify-commit HEAD gpg: Signature faite le dim. 27 juin 2021 16:50:21 -03 gpg: avec la clef RSA 5BDAE9B8B2F6C6BCBB0D6CE581F90EC3CD356060 gpg: Bonne signature de « EuAndreh <eu@euandre.org> » [ultime] -``` +---- On the first line we import the public key (funnily enough, available via HTTPS), and after cloning the code via the insecure `git://` protocol, we use @@ -40,17 +34,12 @@ HTTPS), and after cloning the code via the insecure `git://` protocol, we use The verification is successful, and we can see that the public key from the signature matches the fingerprint of the imported one. However -`git verify-commit` doesn't have an option to check which public key you want -to verify the commit against. Which means that if a MITM attack happens, the -attacker could very easily serve a malicious repository with signed commits, -and you'd have to verify the public key by yourself. That would need to happen -for subsequent fetches, too. +`git verify-commit` doesn't have an option to check which public key you want to +verify the commit against. Which means that if a MITM attack happens, the +attacker could very easily serve a malicious repository with signed commits, and +you'd have to verify the public key by yourself. That would need to happen for +subsequent fetches, too. Even though this is possible, it is not very convenient, and certainly very brittle. Despite the fact that the Git Protocol is much faster, it being harder to make secure is a big downside. - - - -[Git Protocol]: https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_git_protocol -[remembering]: https://euandreh.xyz/remembering/ |