cgwalters / git-evtag Goto Github PK

Extended verification for git tags

License: Other

Makefile 20.82% Shell 19.36% C 37.99% Python 4.63% M4 3.44% Rust 6.63% Meson 7.14%

git-evtag's Introduction

git-evtag

git-evtag can be used as a replacement for git-tag -s. It will generate a strong checksum (called Git-EVTag-v0-SHA512) over the commit, tree, and blobs it references (and recursively over submodules). A primary rationale for this is that the underlying SHA1 algorithm of git is under increasing threat. Further, a goal here is to create a checksum that covers the entire source of a single revision as a replacement for tarballs + checksums.

git-evtag was originally discussed (long before the SHA1 collision of February 2017) on the git mailing list:

Getting git-evtag

See also the the Node.js implementation.

Fedora package
Building from source: Requires glib2 and libgit2.

Using git-evtag

Create a new v2015.10 tag, covering the HEAD revision with GPG signature and Git-EVTag-v0-SHA512:

$ git-evtag sign v2015.10
 ( type your tag message, note a Git-EVTag-v0-SHA512 line in the message )
$ git show v2015.10
 ( Note signature covered by GPG signature )

Verify a tag:

$ git-evtag verify v2015.10
gpg: Signature made Sun 28 Jun 2015 10:49:11 AM EDT
gpg:                using RSA key 0xDC45FD5921C13F0B
gpg: Good signature from "Colin Walters <[email protected]>" [ultimate]
gpg:                 aka "Colin Walters <[email protected]>" [ultimate]
Primary key fingerprint: 1CEC 7A9D F7DA 85AB EF84  3DC0 A866 D7CC AE08 7291
     Subkey fingerprint: AB92 8A9C F8DD 0629 09C3  7BBD DC45 FD59 21C1 3F0B
Successfully verified: Git-EVTag-v0-SHA512: b05f10f9adb0eff352d90938588834508d33fdfcedbcfc332999ee397efa321d1f49a539f1b82f024111a281c1f441002e7f536b06eb04d41857b01636f6f268

Replacing tarballs - i.e. be the primary artifact

This is similar to what project distributors often accomplish by using git archive, or make dist, or similar tools to generate a tarball, and then checksumming that, and (ideally) providing a GPG signature covering it.

Tarball reproducibility

The problem with git archive and make dist is that tarballs (and other tools like zip files) are not easily reproducible exactly from a git repository commit. The authors of git reserve the right to change the file format output by git archive in the future. Also, there are a variety of reasons why compressors like gzip and xz aren't necessarily reproducible, such as compression levels, included timestamps, optimizations in the algorithm, etc. See Pristine tar for some examples of the difficulties involved (e.g. trying to retroactively guess the compression level arguments from the xz dictionary size).

If the checksum is not reproducible, it becomes much more difficult to easily and reliably verify that a generated tarball contains the same source code as a particular git commit.

What git-evtag implements is an algorithm for providing a strong checksum over the complete source objects for the target commit (+ trees + blobs + submodules). Then it's integrated with GPG for end-to-end verification. (Although, one could also wrap the checksum in X.509 or some other public/private signature solution).

Then no out of band distribution mechanism is necessary, and better, the checksums strengthen the ability to verify integrity of the git repository.

(And if you want to avoid downloading the entire history, that's what git clone --depth=1 is for.)

Git and SHA1

NEW! The first SHA1 collision was announced February 23, 2017:

Git uses a modified Merkle tree with SHA1, which means that if an attacker managed to create a SHA1 collision for a source file object (git blob), it would affect all revisions and checkouts - invalidating the security of all GPG signed tags whose commits point to that object.

Now, the author of this tool believes that today, GPG signed git tags are fairly secure, especially if one is careful to ensure transport integrity (e.g. pinned TLS certificates from the origin).

The Git-EVTag algorithm (v0)

There is currently only one version of the Git-EVTag algorithm, called v0 - and it only supports SHA-512. It is declared stable. All further text refers to this version of the algorithm. In the unlikely event that it is necessary to introduce a new version, this tool will support all known versions.

Git-EVTag-v0-SHA512 covers the complete contents of all objects for a commit; again similar to checksumming git archive, except reproducible. Each object is added to the checksum in its raw canonicalized form, including the header.

For a given commit (in Rust-style pseudocode):

fn git_evtag(repo: GitRepo, commitid: String) -> SHA512 {
    let checksum = new SHA512();
    walk_commit(repo, checksum, commitid)
    return checksum
}

fn walk_commit(repo: GitRepo, checksum : SHA512, commitid : String) {
    checksum_object(repo, checksum, commitid)
    let treeid = repo.load_commit(commitid).treeid();
    walk(repo, checksum, treeid)
}

fn checksum_object(repo: GitRepo, checksum: SHA512, objid: String) -> () {
    // This is the canonical header of the object; <typename> <length (ascii base 10)>
    // https://git-scm.com/book/en/v2/Git-Internals-Git-Objects#Object-Storage
    let header : &str = repo.load_object_header(objid);
    // The NUL byte after the header, explicitly included in the checksum
    let nul = [0u8];
    // The remaining raw content of the object as a byte array
    let body : &[u8] = repo.load_object_body(objid);
    
    checksum.update(header.as_bytes())
    checksum.update(&nul);
    checksum.update(body)
}

fn walk(repo: GitRepo, checksum: SHA512, treeid: String) -> () {
    // First, add the tree object itself
    checksum_object(repo, checksum, treeid);
    let tree = repo.load_tree(treeid);
    for child in tree.children() {
        match childtype {
            Blob(blobid) => checksum_object(repo, checksum, blobid),
            Tree(child_treeid) => walk(repo, checksum, child_treeid),
            Commit(commitid, path) => {
                let child_repo = repo.get_submodule(path)
                walk_commit(child_repo, checksum, commitid)
            }
        }
    }
}

This strong checksum, can be verified reproducibly offline after cloning a git repository for a particular tag. When covered by a GPG signature, it provides a strong end-to-end integrity guarantee.

It's quite inexpensive and practical to compute Git-EVTag-v0-SHA512 once per tag/release creation. At the time of this writing, on the Linux kernel (a large project by most standards), it takes about 5 seconds to compute on this author's laptop. On most smaller projects, it's completely negligible.

Aside: other aspects of tarballs

This project is just addressing one small part of the larger git/tarball question. Anything else is out of scope, but a brief discussion of other aspects is included below.

Historically, many projects include additional content in tarballs. For example, the GNU Autotools pregenerate a configure script from configure.ac and the like. Other projects don't include translations in git, but merge them out of band when generating tarballs.

There are many other things like this, and they all harm reproducibility and continuous integration/delivery.

For example, while many of my projects use Autotools, I simply have downstream authors run autogen.sh. It works just fine - the autotools are no longer changing often, and many downstreams want to do it anyways.

For the translation issue, note that bad translations can actually crash one's application. If they're part of the git repository, they can be more easily tested as a unit continuously.

git-evtag's People

Contributors

Stargazers

Watchers

Forkers

tyll ignatenkobrain ypid dustymabe martindale mikalv alexxnica kryndex wjt pwithnall sambacha smcv socios-linux

git-evtag's Issues

gmane links are dead

FYI

Add tests

generate (dummy gpg keys?)
Validate
Failing validation

Homebrew formula, but more robust MacOS install needed

Hi, I would be happy to contribute a formula to Homebrew for this, but right now this fails to build on my MacOS Yosemite machine. Any thoughts on how I might fix this?

MacBook-Pro:Sandbox ibeekman$ hub clone cgwalters/git-evtag
Cloning into 'git-evtag'...
remote: Counting objects: 353, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 353 (delta 0), reused 0 (delta 0), pack-reused 350
Receiving objects: 100% (353/353), 117.49 KiB | 0 bytes/s, done.
Resolving deltas: 100% (196/196), done.
MacBook-Pro:Sandbox ibeekman$ cd git-evtag/
MacBook-Pro:git-evtag ibeekman$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: configure.ac: creating directory build-aux
autoreconf: running: glibtoolize --copy --force
glibtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
glibtoolize: copying file 'build-aux/ltmain.sh'
glibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
glibtoolize: copying file 'm4/libtool.m4'
glibtoolize: copying file 'm4/ltoptions.m4'
glibtoolize: copying file 'm4/ltsugar.m4'
glibtoolize: copying file 'm4/ltversion.m4'
glibtoolize: copying file 'm4/lt~obsolete.m4'
glibtoolize: Consider adding '-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/local/Cellar/autoconf/2.69/bin/autoconf --force
autoreconf: running: /usr/local/Cellar/autoconf/2.69/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:10: installing 'build-aux/compile'
configure.ac:30: installing 'build-aux/config.guess'
configure.ac:30: installing 'build-aux/config.sub'
configure.ac:7: installing 'build-aux/install-sh'
configure.ac:7: installing 'build-aux/missing'
Makefile.am:32: warning: girdir multiply defined in condition TRUE ...
Makefile-decls.am:39: ... 'girdir' previously defined here
Makefile.am:18:   'Makefile-decls.am' included from here
Makefile.am:33: warning: gir_DATA multiply defined in condition TRUE ...
Makefile-decls.am:40: ... 'gir_DATA' previously defined here
Makefile.am:18:   'Makefile-decls.am' included from here
Makefile.am:34: warning: typelibdir multiply defined in condition TRUE ...
Makefile-decls.am:41: ... 'typelibdir' previously defined here
Makefile.am:18:   'Makefile-decls.am' included from here
Makefile.am:35: warning: typelib_DATA multiply defined in condition TRUE ...
Makefile-decls.am:42: ... 'typelib_DATA' previously defined here
Makefile.am:18:   'Makefile-decls.am' included from here
src/Makefile-git-evtag.am:20: warning: source file 'src/git-evtag.c' is in a subdirectory,
src/Makefile-git-evtag.am:20: but option 'subdir-objects' is disabled
Makefile.am:37:   'src/Makefile-git-evtag.am' included from here
automake: warning: possible forward-incompatibility.
automake: At least a source file is in a subdirectory, but the 'subdir-objects'
automake: automake option hasn't been enabled.  For now, the corresponding output
automake: object file(s) will be placed in the top-level directory.  However,
automake: this behaviour will change in future Automake versions: they will
automake: unconditionally cause object files to be placed in the same subdirectory
automake: of the corresponding sources.
automake: You are advised to start using 'subdir-objects' option throughout your
automake: project, to avoid future incompatibilities.
Makefile.am: installing 'build-aux/depcomp'
parallel-tests: installing 'build-aux/test-driver'
autoreconf: Leaving directory `.'
configure: loading site script /usr/local/share/config.site
checking for a BSD-compatible install... /usr/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/local/bin/gmkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '502' is supported by ustar format... yes
checking whether GID '20' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... yes
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking build system type... x86_64-apple-darwin14.5.0
checking host system type... x86_64-apple-darwin14.5.0
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/local/bin/gsed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld
checking if the linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm
checking the name lister (/usr/bin/nm) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 196608
checking how to convert x86_64-apple-darwin14.5.0 file names to x86_64-apple-darwin14.5.0 format... func_convert_file_noop
checking how to convert x86_64-apple-darwin14.5.0 file names to toolchain format... func_convert_file_noop
checking for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld option to reload object files... -r
checking for objdump... no
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for dsymutil... dsymutil
checking for nmedit... nmedit
checking for lipo... lipo
checking for otool... otool
checking for otool64... no
checking for -single_module linker flag... yes
checking for -exported_symbols_list linker flag... yes
checking for -force_load linker flag... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... yes
checking for gcc option to produce PIC... -fno-common -DPIC
checking if gcc PIC flag -fno-common -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... darwin14.5.0 dyld
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for pkg-config... /usr/local/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for BUILDDEP_LIBGIT_GLIB... yes
checking for git_libgit2_init... yes
checking for xsltproc... /usr/bin/xsltproc
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

    git-evtag 2016.1

    man pages (xsltproc):                    yes
    installed tests:                         no
    Rust implementation:                     no

MacBook-Pro:git-evtag ibeekman$ make
git.mk: Generating .gitignore
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-recursive
  CC       git_evtag-git-evtag.o
  CCLD     git-evtag
  GEN      man/git-evtag.1
I/O error : Attempt to load network entity http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
warning: failed to load external entity "http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"
cannot parse http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
make[2]: *** [man/git-evtag.1] Error 4
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

Also, this depends on libgit2 and this should be stated explicitly in the README.md and/or an INSTALL.md file (See #8 too)

Support -m, -F

Make it easy for people to do pre-written tag messages.

2022.1 release

I'd like to do a 2022.1 release, mainly to incorporate @pwithnall's submodule fixes and my Meson build system. @cgwalters, do you want to tag that release, or would you prefer me to do it, or are there important changes pending that mean we should delay it?

Draft release notes: https://github.com/cgwalters/git-evtag/releases/tag/untagged-3a452443d2570a6ad3d6

Do I understand correctly that this project does not officially release Autotools make dist tarballs or a canonical git archive tarball, only git tags signed using the project itself?

Unless @cgwalters feels differently, I would be inclined to do this release with both Autotools and Meson included, and then remove Autotools afterwards. Does that seem right?

Installation instructions

Related to a suggestion for better cryptographic timestamping of Git repos & other things, git-evtag was proposed as a solution to the weak SHA-1 hashes Git uses. I wanted to try it out to see whether it could be easily used with the timestamping as a post-commit hook, but I can't seem to get it to compile/install, and the README currently includes nothing about how to install it.

What I tried on my Ubuntu 14.04.3 LTS system:

git --version
# git version 1.9.1
git clone 'https://github.com/cgwalters/git-evtag.git'
cd ./git-evtag/
sudo apt-get install libglib2.0-dev libgit2-dev
./autogen.sh
./configure --prefix=/home/gwern/bin
make && make install

This errors out during the make:

make  all-recursive
make[1]: Entering directory `/home/gwern/src/git-evtag'
make[2]: Entering directory `/home/gwern/src/git-evtag'
  CC       git_evtag-git-evtag.o
src/git-evtag.c: In function ‘checksum_tree_callback’:
src/git-evtag.c:263:9: error: implicit declaration of function ‘git_submodule_free’ [-Werror=implicit-function-declaration]
         git_submodule_free (submod);
         ^
src/git-evtag.c: In function ‘main’:
src/git-evtag.c:988:3: error: implicit declaration of function ‘git_status_init_options’ [-Werror=implicit-function-declaration]
   r = git_status_init_options (&statusopts, GIT_STATUS_OPTIONS_VERSION);
   ^
cc1: some warnings being treated as errors
make[2]: *** [git_evtag-git-evtag.o] Error 1
make[2]: Leaving directory `/home/gwern/src/git-evtag'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/gwern/src/git-evtag'
make: *** [all] Error 2

If I'm doing something wrong here, please advise; it would also be good if an authoritative section could be added to the README explaining how to compile & install this.

git submodules

We should by default recurse I think.

`git replace`

How does git-evtag fit into this? Does libgit2 even know about them? Offhand it seems like we should ignore them.

ERROR: tests/test-basic.sh: File 'tag.txt' doesn't match regexp 'ExtendedVerify-SHA256-archive-tar: 83991ee23a027d97ad1e06432ad87c6685e02eac38706e7fbfe6e5e781939dab'

I try to create package for ALT Linux but make check does not pass with

+ git config --global gpg.program gpg2
+ make -j20 -C_build check VERBOSE=1
make  check-recursive
make  check-TESTS
make[4]: Entering directory '/usr/src/RPM/BUILD/git-evtag-2022.1/_build'
PASS: tests/test-basic.sh 1 setup
PASS: tests/test-basic.sh 2 tag + verify
PASS: tests/test-basic.sh 3 no tag on dirty tree
PASS: tests/test-basic.sh 4 no tag verify on non-HEAD
ERROR: tests/test-basic.sh - too few tests run (expected 7, got 4)
ERROR: tests/test-basic.sh - exited with status 1
...
...
...
+ git -c protocol.file.allow=always submodule update --init
Submodule 'subproject' (/var/tmp/tap-test.Cp17fd/repos/subproject) registered for path 'subproject'
Cloning into '/var/tmp/tap-test.Cp17fd/coolproject/subproject'...
done.
Submodule path 'subproject': checked out 'daa4f152b084ce61aba55070d91c6f35b7cab65f'
+ with_editor_script git evtag sign --with-legacy-archive-tag -u 472CDAFA v2015.1
+ env EDITOR=/var/tmp/tap-test.Cp17fd/editor.sh git evtag sign --with-legacy-archive-tag -u 472CDAFA v2015.1
+ git show refs/tags/v2015.1
+ assert_file_has_content tag.txt 'ExtendedVerify-SHA256-archive-tar: 83991ee23a027d97ad1e06432ad87c6685e02eac38706e7fbfe6e5e781939dab'
+ grep -q -e 'ExtendedVerify-SHA256-archive-tar: 83991ee23a027d97ad1e06432ad87c6685e02eac38706e7fbfe6e5e781939dab' tag.txt
+ echo 'File '\''tag.txt'\'' doesn'\''t match regexp '\''ExtendedVerify-SHA256-archive-tar: 83991ee23a027d97ad1e06432ad87c6685e02eac38706e7fbfe6e5e781939dab'\'''
File 'tag.txt' doesn't match regexp 'ExtendedVerify-SHA256-archive-tar: 83991ee23a027d97ad1e06432ad87c6685e02eac38706e7fbfe6e5e781939dab'
+ exit 1
ok no tag verify on non-HEAD
PASS: tests/test-basic.sh 4 no tag verify on non-HEAD
ERROR: tests/test-basic.sh - too few tests run (expected 7, got 4)
ERROR: tests/test-basic.sh - exited with status 1

============================================================================
Testsuite summary for git-evtag 2022.1
============================================================================
# TOTAL: 6
# PASS:  4
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 2
============================================================================
See ./test-suite.log
Please report to [email protected]
============================================================================

If you wish to see full build log, it's temporary there https://git.altlinux.org/tasks/312467/build/100/x86_64/log

Include object boundaries in hashing

Based on the pseudo-code, the tree traversal hashes the sub-objects without any length indicator or explicit delimiter. Instead, it relies on the object lengths encoded at the Git layer. I think this kind of layering violation is problematic. You should encode these boundaries at your hashing layer.

Otherwise, you could just sign the top-level commit because you are not isolated from SHA-1 hashing issues Git may be troubled with one day.

incorrect FSF address

LGPL (v2 or later) (with incorrect FSF address)
-----------------------------------------------
git-evtag-2016.1/src/git-evtag.c
git-evtag-2016.1/tests/libtest.sh
git-evtag-2016.1/tests/test-basic.sh

user specific information in rust/Cargo.toml

Contains the following:

[dependencies.git2]
path = "/home/walters/src/github/alexcrichton/git2-rs"

[dependencies.libgit2-sys]
path = "/home/walters/src/github/alexcrichton/git2-rs/libgit2-sys"

Which causes me to get an error because I don't have those directories. I'm new to rust so I don't know if this is normal or not.

Question about malleability

Hello!

First of all, thank you for this project! I was working on something very similar, but in JS.

The question that I have is regarding the possible malleability of the output hash. Let's say that we have a repo with two directories:

lib/
  a
  b
test/
  c

And another one with:

lib/
  a
  b
  test/
    c

Currently they will result in different hashes, however if we think that the collision attack on the SHA-1 is feasible - it is possible to modify file contents in such way that the resulting hashes will turn out to be the same.

I think hashing number of sub-objects into the main digest should be enough to protect against this. What are your thoughts on this?

merge into git?

Do you see any chances of getting this merged in mainline git?

Make it easier to verify tags using specific keys

git tag --verify uses the user's default keyring.

I'd at least like to support git-evtag --verify-with-key=1CEC7A9DF7DA85ABEF843DC0A866D7CCAE087291
for example.

submodule lookup incorrectly assumes name matches tree entry name

The submodule lookup should take the full path of the tree entry (not just the entry name itself) and it should then find the matching submodule. Note that the name of a submodule by default is its path, but this might not be the case.

I am running into a problem with this in SDAPS (https://github.com/sdaps/sdaps/blob/master/.gitmodules). The module is called "tex/class" with the same path. But, evtag looks for "class".

In this case, I can easily work around that by renaming the submodule to "class" (maybe I will do that). But, I guess one could theoretically have two submodules with the same tree entry name in two different parts of the tree ...

Need better error message when submodules are missing.

so just tried to use git-evtag to verify the latest tag from rpm-ostree and I'm seeing an issue:

$ rpm -q git-evtag
git-evtag-2016.1-1.fc22.x86_64
$ git checkout v2016.1
...
$ git-evtag verify v2016.1
gpg: Signature made Mon 28 Mar 2016 11:13:48 AM EDT using RSA key ID 21C13F0B
gpg: Good signature from "Colin Walters <[email protected]>"
gpg:                 aka "Colin Walters <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1CEC 7A9D F7DA 85AB EF84  3DC0 A866 D7CC AE08 7291
     Subkey fingerprint: AB92 8A9C F8DD 0629 09C3  7BBD DC45 FD59 21C1 3F0B
error: Failed to resolve path '/home/dustymabe/Desktop/development/rpm-ostree/libglnx/.git': No such file or directory

Colin pointed out this is an issue because I haven't ran git submodule update --init. We need a better error message for this.

Need to support newer libgit2 APIs

make[2]: Entering directory '/extra-data/checkout/gnome/git-evtag'
  CC       git_evtag-git-evtag.o
src/git-evtag.c: In function ‘main’:
src/git-evtag.c:978:3: error: implicit declaration of function ‘git_threads_init’ [-Werror=implicit-function-declaration]
   git_threads_init();
   ^
cc1: some warnings being treated as errors
Makefile:1128: recipe for target 'git_evtag-git-evtag.o' failed

Should check for pre-existing tag on startup

Just as a quick preflight check before bringing up the editor rather than letting git error out on exit after having typed stuff out. Thankfully it saves the draft, so this is mostly about the UX papercut.

Add commit message support

Currently we have ability to verify tags. But it would be greatly beneficial to be able to sign and verify commit messages, with and without gpg signatures.

> git cat-file -p 8daac22021c9f01a68cd81a357679c105cfe034c
tree fa70095586eca8f25721f018f0be68c929fc6a96
parent 7c58b2021a066f1e552deeb37431bc70b6215d62
author Adam Majer <[email protected]> 1688037521 +0200
committer Adam Majer <[email protected]> 1688037540 +0200

testing

Git-EVTag-v0-SHA512: 64ea6fbecfb72fa24936f90d44024d4f98889c76eb07d8027852cfe074aa76e9ee4afdfe72f380391ae9be28cea3734c26beaa5b6876bfefb62debaa8be56ece

Then verification should be done in similar way that GPG verification, where the signature headers are stripped from the commit and then verified. Currently the Git-EVTag-v0-SHA512 header is not stripped from the calculation and this has to happen to make this possible.

Git is part of the trusted computing base

With the current design, it is necessary to use Git to clone the repository and use Git to walk the trees. This means that Git is exposed to untrusted data before the signature is verified, making it part of the TCB. This is not desirable because Git is quite large.

At least, the recommended steps should verify the signature before a checkout is performed (which is probably the most risky operation because it involves partially attacker-controlled file system operations).