Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the point in signing tags in git?

Tags:

git

I am quite new in git, and I have seen that it is possible to sign the tags with gpg. I understand how public key cryptography works, and I understand how to do sign the tags, but what is the point in doing it?

like image 575
Ken Avatar asked Apr 14 '11 13:04

Ken

2 Answers

The point of signing a tag is that now anyone who has your public key can prove that you have approved that particular commit as being that particular version of the program. If they happen to trust you as being the official source of releases for that package, then they know that they got an official version of that package, not some random version that might have been backdoored by an attacker or corrupted in transit.

like image 144
Brian Campbell Avatar answered Oct 14 '22 19:10

Brian Campbell

Understanding the basics of the git object model shows the value of signing tags.

The diagram below, borrowed from the Git Community Book, depicts a particular snapshot. The shaded boxes are git objects. The commit object at left refers to a tree. Think of a tree like a filesystem directory, so a tree object refers to other trees and blobs. A blob object stores file contents.

git objects

Every git object has a SHA1, a unique 40-character hex digest derived from that object's contents. The abbreviated hex strings above the objects represent their respective SHA1s.

Git objects are immutable: changing even a single bit of the object's contents changes its name. It's SHA1s all the way down. Any change to a blob requires a new tree and then in turn a new commit, so it's impossible to both slip in different contents and avoid detection. Knowing only the SHA1 of a commit gives you a precise, integrity-checked snapshot of a tree.

A commit also refers to its immediate parent (or multiple parents in the case of merges), so the guarantee is even stronger. Changing a single bit anywhere in a commit's history also changes its SHA1. Knowing only a single commit's SHA1 gives you a huge amount of information: an exact tree in the context of an exact history going all the way back to the first commit.

Anyone can create commits, and anyone can claim to be, say, Linus Torvalds. It's important to know which commits are trustworthy. A signed tag that refers to a commit gives you all of the above information along with verifiable authenticity. Many projects use signed tags as a way of stamping Officially Blessed Releases.

like image 23
Greg Bacon Avatar answered Oct 14 '22 17:10

Greg Bacon
Sign in to Comment

Related questions

Are merges in Git symmetric?
Interconversion of gitignore and hgignore?
Atom editor does not reload changed file
git diff with author filter
Where can I report a git bug
What does git update-server-info do?
How to use git difftool to diff merge conflicts?
Git repository within Git repository [duplicate]
Why does Git use SHA-1 as version numbers?
How can I merge a specific file from one branch into another branch in Git
Editing a git submodule
How to uninstall a git repo using pip?
Recover from inadvertent skip during rebase
What will `* text=auto eol=lf` in gitattributes do?
SourceTree App says uncommitted changes even for newly-cloned repository - what could be wrong?
Pull in changes from a Github fork
How can I sign out of the GitKraken client?
How to re-merge a file in the git?
Git: move a commit "on top"
How do I remove Tag in GitLab repository

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!