Why does Git need signed pushes?

前端 未结 2 1427
情话喂你
情话喂你 2020-12-31 01:43

In the release notes for Git 2.2.0, it describes a new option to git push, --signed:

\"git push\" learned \"--signed\" push, that a         


        
相关标签:
2条回答
  • 2020-12-31 02:25

    Here is an excerpt from the commit message that introduced signed pushes:

    While signed tags and commits assert that the objects thusly signed came from you, who signed these objects, there is not a good way to assert that you wanted to have a particular object at the tip of a particular branch. My signing v2.0.1 tag only means I want to call the version v2.0.1, and it does not mean I want to push it out to my 'master' branch---it is likely that I only want it in 'maint', so the signature on the object alone is insufficient.

    The only assurance to you that 'maint' points at what I wanted to place there comes from your trust on the hosting site and my authentication with it, which cannot easily audited later.

    So even though the commit is signed, you cannot be sure that the author intended that commit to be pushed to the branch master or to the branch super-experimental-feature. Signed pushes allow the server to keep a record of every push event and its signature. This log can then be verified to see that each commit was indeed intended to be on a particular branch.

    0 讨论(0)
  • 2020-12-31 02:33

    While signed pushes do allow the server to keep a record of every push event and its signature, it can fail to record the right user, before Git 2.19 (Q3 2018):

    "git send-pack --signed" (hence "git push --signed" over the http transport) did not read user ident from the config mechanism to determine whom to sign the push certificate as, which has been corrected.

    See commit d067d98 (12 Jun 2018) by Masaya Suzuki (draftcode).
    (Merged by Junio C Hamano -- gitster -- in commit 8d3661d, 28 Jun 2018)

    builtin/send-pack: populate the default configs

    builtin/send-pack didn't call git_default_config, and because of this git push --signed didn't respect the username and email in gitconfig in the HTTP transport.


    With Git 2.27 (Q2 2020), the validation of push certificate has been made more robust against timing attacks.

    See commit 719483e (22 Apr 2020) by Junio C Hamano (gitster).
    See commit edc6dcc (09 Apr 2020) by brian m. carlson (bk2204).
    (Merged by Junio C Hamano -- gitster -- in commit 2abd648, 28 Apr 2020)

    builtin/receive-pack: use constant-time comparison for HMAC value

    Signed-off-by: brian m. carlson

    When we're comparing a push cert nonce, we currently do so using strcmp.
    Most implementations of strcmp short-circuit and exit as soon as they know whether two values are equal.

    This, however, is a problem when we're comparing the output of HMAC, as it leaks information in the time taken about how much of the two values match if they do indeed differ.

    In our case, the nonce is used to prevent replay attacks against our server via the embedded timestamp and replay attacks using requests from a different server via the HMAC.

    Push certs, which contain the nonces, are signed, so an attacker cannot tamper with the nonces without breaking validation of the signature.

    They can, of course, create their own signatures with invalid nonces, but they can also create their own signatures with valid nonces, so there's nothing to be gained.

    Thus, there is no security problem.

    Even though it doesn't appear that there are any negative consequences from the current technique, for safety and to encourage good practices, let's use a constant time comparison function for nonce verification. POSIX does not provide one, but they are easy to write.

    The technique we use here is also used in NaCl and the Go standard library and relies on the fact that bitwise or and xor are constant time on all known architectures.

    We need not be concerned about exiting early if the actual and expected lengths differ, since the standard cryptographic assumption is that everyone, including an attacker, knows the format of and algorithm used in our nonces (and in any event, they have the source code and can determine it easily).

    As a result, we assume everyone knows how long our nonces should be.

    This philosophy is also taken by the Go standard library and other cryptographic libraries when performing constant time comparisons on HMAC values.

    0 讨论(0)
提交回复
热议问题