|
|
Subscribe / Log in / New account

A new hash algorithm for Git

A new hash algorithm for Git

Posted Feb 4, 2020 19:57 UTC (Tue) by mirabilos (subscriber, #84359)
In reply to: A new hash algorithm for Git by KaiRo
Parent article: A new hash algorithm for Git

I know what a signature is and all that, but I absolutely don’t get where you are going with this.

When I currently have a signed commit…

-----BEGIN cutting here may damage your screen surface-----
$ git cat-file -p HEAD
tree 937122472a792ada03309a60b7a31e02a29aa764
parent 53861b4a1544c7c8825f1414c37c9694c84c5d92
author mirabilos <m@mirbsd.org> 1580771045 +0100
committer mirabilos <mirabilos@evolvis.org> 1580771470 +0100
gpgsig -----BEGIN PGP SIGNATURE-----
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAABCQAGBQJeOKiPAAoJEIlQwYleuNOzSzYP/3xowIYpxJwuHfdP8oRekbSZ
eVI9mO5g8KC+SUe5oGCbocH478pBUp5AOYlFGL0awetklijRmF+EeYp+a1IluCww
GD2pSPFCpxSjScERlED5YYpfaaw1XEutoGHYQNMAUQhlRMzS8NwhGJjTuoIbvE4X
hMntoMtDM7sPJ3CIADIoYzXIcdaqsELvqptuvNdo9S/PIyR6OFWhpF68Qn+SILqk
N+fOA/KpgQLsRmMEVy3YtqmMdToYXoP3m4ec0/QSoN90QVrO9ZnVG2+0f9yeEiVn
xEWiaSSsz5vtniBLzOvQ6FeE0h08ZsQi9dcTj8aq3tDtUJb2sQi6q79Gl5StmfHI
8HN9q8ZQP/Vh8kIT5z3lcuNnb3y7sc90ZzY5i7Q2YwfKNbJ5mAEMvSgzBxcrDflR
/kjUJcXJg98IzJsWbE3k9gRc9yatqKQii0GiaxID13fCfl++4klJrFMEyoTdhta4
5a7vGa6OuHr+MWsT+35yQsR6Mt1DnMY2oNArTgWG3DfNQK8zb7rIExPbuV6pLP2O
X67ZCVSHwRTrLWnDHjSuQH4Hfoibq96Ga9wJwEjw0+sWKzg4CgvQH6L+UiXIZO0/
2+hhF507WUCKh8Uit2nrRsGhVnXJrI5QZsD857oAifcBFslbTLwTCkj+3gccHxwH
A/BAeG4zN0JrdvMzx0pN
=9w0P
-----END PGP SIGNATURE-----

erm yes, the symlink…
-----END cutting here may damage your screen surface-----

… or tag…

-----BEGIN cutting here may damage your screen surface-----
$ git cat-file -p mksh-57-6
object 3ece4d6c67f32b8e2b9b00900d05cc06c658fc87
type commit
tag mksh-57-6
tagger mirabilos <mirabilos@evolvis.org> 1580771932 +0100

mksh (57-6) unstable; urgency=low
-----BEGIN PGP SIGNATURE-----
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAABCQAGBQJeOKpdAAoJEIlQwYleuNOzE3EP/1Qu6w3ZnelCbTcR0/lR1QaH
qisRANlIKYq0MVDOmhzGZ4m6/ri9b2njI16x0R3otaIT2QfG2ldj8U/Sq7Vpm6Xb
uTpMluMzFj6sungPYOCvgbDVcVqt4+qCAwtFL5Lt2gpfN45KwYO0RdrSCY8wFD3N
TO3Wq7M3DXt99F9mMY/L+XfvbpDAMzjCEK0tgTAal4QWnnb7V2Y1bVnZjos5XZTV
hWW4kJMqBp2Hf99KLqnjijfPgZkqbSMYKy14Nsqo1cSujwPpOH2MgDbyuun1SuSA
K6U0JT1iyIsL/ixkCx8vi6ejIGGQXXpGEq4K4RA3Wc4ALB/FWC9Y2MrCEExG0wEV
tDkto90sbD6Nymnii1apG2Q7aSyDNDjsiRT2tzYN2S5EzItYtV0V8ZXoxiYk/c/Z
ttAcdXxh8R4+5p3yNYwAjTSzZe8ohvgHFXoAUGVpk7g9oArlNiJmqkrW3BGdFrCb
gH0h4UpiXr3pgnlPi247alGT18Xly5cBX3CbjORGDNsUDZoGPLlVuyW46PaRel3V
P8BODtOoFkoK7JyFCRP70Z97vQig+L9nbN5tf50haYlxhO7oOSU7RzQJxgv2tLza
AT0bg6Wfs4I9VV/MjocIirwrbihZY1gMgURgad5PdoNjoyNy+vd6OKMFQm1i/eUF
hGIwKngrue1A9RMKPaCG
=JPiZ
-----END PGP SIGNATURE-----
-----END cutting here may damage your screen surface-----

… these hardcode the SHA-1 hashes. These are, thus, needed to verify the signature. This also cannot be rewritten.

As a user, I’d expect that, after full git conversion to a new hash, I’ll still be able to verify these. That was the question.

to post comments

A new hash algorithm for Git

Posted Feb 5, 2020 9:50 UTC (Wed) by geert (subscriber, #98403) [Link] (2 responses)

So you have to keep the translation table from SHA-1 to SHA-256 for all old objects.

Cfr. " To address this issue, one can imagine that the Git developers may eventually add a mode where translations for old SHA‑1 hashes remain in the repository, but no SHA‑1 hashes for new objects are added.".

A new hash algorithm for Git

Posted Feb 13, 2020 23:57 UTC (Thu) by floppus (guest, #137245) [Link] (1 responses)

But to verify a signature, you don't just need a translation table for all the old objects, you actually need the old objects themselves (or be able to somehow reconstruct the original objects, byte for byte.)

Otherwise, assuming you trust the person who generated the signature but you don't trust the contents of the git repository, you have no way of knowing that the commit you're looking at actually corresponds to the same source tree that the person signed.

A new hash algorithm for Git

Posted Feb 14, 2020 1:20 UTC (Fri) by excors (subscriber, #95769) [Link]

Perhaps the translation table should be signed. After the repository is converted to SHA-256, someone trusted (e.g. Linus Torvalds) can run a tool that scans through the translation table, fetches the object corresponding to each SHA-256, computes its SHA-1, verifies the translation table says the same SHA-1, then signs the translation.

Then a regular user can verify a commit (identified by its SHA-256) by using the signed translation table to find the corresponding SHA-1 and checking the committer's signature of that SHA-1. That avoids the performance cost of having to fetch the entire object from disk to compute its SHA-1 before checking the signature, while avoiding the danger of a falsified translation table that tries to link the signed SHA-1 to a totally different commit that doesn't actually match that SHA-1.

As a bonus, if SHA-1 gets completely broken in the future, I think the repository would remain secure. If a future attacker can manufacture a commit whose SHA-1 matches an old signed commit, they could try to insert that commit into the repository with a valid translation table entry (containing the colliding SHA-1 and a new non-colliding SHA-256) and reuse the old commit's signature on their new commit (since it's only signing the SHA-1). If the translation table was unsigned, the attacker could succeed. But if it was signed, there's no way to insert the new translation table entry without tricking Linus into signing the new table. And Linus can avoid being tricked if he simply stops signing any new translation tables beyond the point when SHA-1 gets completely broken (which should be many years away).

A new hash algorithm for Git

Posted Feb 5, 2020 19:40 UTC (Wed) by KaiRo (subscriber, #1987) [Link] (1 responses)

The problem is that with quantum computers, you can actually forge signatures, i.e. you actually _can_ rewrite those things and/or make something, e.g. a git commit, look like it could be verified to be from someone despite it being from someone else - at least using the current (RSA) mechanisms. We need to use new, quantum-safe signatures in the future. Unfortunately, the security community has not settled on what the widely-accepted algorithms for that may be, though there are developments in this area.

The actual hash that is signed is a different topic. You should be able to verify those signed hashes as long as the original hash is available (part of what the original article is about) and the signature can be trusted (which may not be the case forever, as I was pointing to).

A new hash algorithm for Git

Posted Feb 6, 2020 15:40 UTC (Thu) by luto (guest, #39314) [Link]

There are several excellent hash-based signature algorithms that appear to be fully secure against quantum attack. They don’t extend to encryption or to key exchange, so they are not full RSA replacements.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds