Authenticate a tarball through a signed tag in a git repository (with reproducible builds)

Overview

auth-tarball-from-git

Authenticate a tarball through a signed tag in a git repository (with reproducible builds).

The signed git tag contains a hash of a commit object:

object a631953b1241368b5f6bc471f9d89948f985fcb3
type commit
tag openpgp/v1.9.0
tagger Justus Winter <[email protected]> 1653320477 +0200

openpgp: Release 1.9.0.
-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEJWpOVeSnLZetJGjniNx+MzhfeR0FAmKLqx0ACgkQiNx+Mzhf
eR1w7gf+MSS1Su+kclHSKpVCg03TTyVdg+zx95FTlQjBtGaSRMbOAoWvCX53hZm9
/w2YZJdHTGAR50hFj78xnQjPg8bSEYrQD6HaMc/TYlFkrQcPQULCV8aNiiTlKPUC
GC0L8OecqG1tILejLtWkJpoSAh+oAK0QKjgyy3bYZU+KzCinV2+TC8LaAvcBSngt
R/Xu9g8X6CYf88mfO+IAyGeaDD+JMyQFp6q1fgzlFx/lA31iIg49vf1b9yQo2fxA
y8hnYu+dztZNMRcEL7Cl5UgFnT4tDv/rDlNpM136KHyvrXaqYC0GhNEoAsXX975L
9o0OzzRPOAxJj9/4Wigvu/fhOWRXSA==
=8qk5
-----END PGP SIGNATURE-----

If we don't have a signed tarball but we do have a signed git tag we can use this signature to prove authenticity of the tarball. To do this we verify the signature, then attempt to generate an identical tarball from the commit specified in the tag. This is possible because the output of git archive is deterministic as long as the parameters are identical.

Using the source code from the tarball is preferable because it can be pinned with modern cryptographic hash functions while git can only offer sha1.

Signature verification is done with sequoia-pgp instead of gpg.

⚠️ Security Considerations ⚠️

Signed git tags only authenticate the tag name, not the repository url. A v0.1.0 tag can be replayed from one repository into another if they are both signed by the key provided in --keyring.

The hash in the signed tag is a SHA1 hash, which is known to be problematic (2005, 2017, 2020). Regardless of the quality of the pgp signature, verifying a tarball with git can only provide sha1-tier cryptographic properties.

Usage

# Sequoia
$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/CBCD8F030588653EEDD7E2659B7DD433F254904A
$ wget https://gitlab.com/sequoia-pgp/sequoia/-/archive/openpgp/v1.9.0/sequoia-openpgp-v1.9.0.tar.gz
$ auth-tarball-from-git --keyring CBCD8F030588653EEDD7E2659B7DD433F254904A --tag openpgp/v1.9.0 https://gitlab.com/sequoia-pgp/sequoia sequoia-openpgp-v1.9.0.tar.gz
[2022-05-27T19:28:50Z INFO  auth_tarball_from_git] Cloning repository from "https://gitlab.com/sequoia-pgp/sequoia"
[2022-05-27T19:28:54Z INFO  auth_tarball_from_git] Tag successfully verified
[2022-05-27T19:28:54Z INFO  auth_tarball_from_git] Reproducing archive...
[2022-05-27T19:28:55Z INFO  auth_tarball_from_git] Reading input that should be verified...
[2022-05-27T19:28:55Z INFO  auth_tarball_from_git] Comparing...
OK

# Monero
$ wget https://github.com/monero-project/monero/archive/refs/tags/v0.17.3.2.tar.gz
$ wget https://github.com/monero-project/monero/blob/master/utils/gpg_keys/luigi1111.asc
$ auth-tarball-from-git --keyring luigi1111.asc --tag v0.17.3.2 --prefix monero-0.17.3.2 https://github.com/monero-project/monero v0.17.3.2.tar.gz
[2022-05-27T19:30:03Z INFO  auth_tarball_from_git] Cloning repository from "https://github.com/monero-project/monero"
[2022-05-27T19:30:06Z INFO  auth_tarball_from_git] Tag successfully verified
[2022-05-27T19:30:06Z INFO  auth_tarball_from_git] Reproducing archive...
[2022-05-27T19:30:08Z INFO  auth_tarball_from_git] Reading input that should be verified...
[2022-05-27T19:30:08Z INFO  auth_tarball_from_git] Comparing...
OK

Dependencies

Needs sqv from the sequoia-pgp project to be installed to verify pgp signatures.

Funding

This project was funded by myself with github sponsors.

License

GPLv3+

You might also like...
🗂️ A simple, opinionated, tool, written in Rust, for declaratively managing Git repos on your machine.

gitrs 🗂️ A simple, opinionated, tool, written in Rust, for declaretively managing Git repos on your machine. "simple" - limited in what it supports.

Harness the power of signify(1) to sign arbitrary git objects

git-signify A tool to sign arbitrary objects in a git repository. Generating keys Signing keys can be generated with signify, from the OpenBSD project

Official Repository for the InvArch platform.
Official Repository for the InvArch platform.

InvArch The Future of Innovation The world’s first intellectual property tokenization & networking platform. Official Repository for the InvArch platf

Meta-repository for Miscreant: misuse-resistant symmetric encryption library with AES-SIV (RFC 5297) and AES-PMAC-SIV support

The best crypto you've never heard of, brought to you by Phil Rogaway A misuse resistant symmetric encryption library designed to support authenticate

Generate Nix fetcher calls from repository URLs [maintainer=@figsoda]

nurl Generate Nix fetcher calls from repository URLs $ nurl https://github.com/nix-community/patsh v0.2.0 2/dev/null fetchFromGitHub { owner = "nix

LLM-chain Rust Template Repository

Jumpstart your llm-chain projects with the llm-chain-template repository! This template provides a foundation for using the llm-chain library, complete with example code and instructions to get you started effortlessly.

Built on the Substrate-based runtime, this repository develops the Paralink Network, a cross-chain Oracle platform for secure and scalable data integration. Our goal is to create a robust infrastructure that ensures efficient and reliable data transmission across blockchain networks.
Verify that registry crates in your Cargo.lock are reproducible from the git repository

cargo-goggles Verify that registry crates in your Cargo.lock are reproducible from the git repository. This cargo subcommand analyzes the following pr

Independent verification of binary packages - reproducible builds
Independent verification of binary packages - reproducible builds

rebuilderd(1) Independent verification system of binary packages. Accessing a rebuilderd instance in your browser Scripting access to a rebuilderd ins

Reproducible builds, dev envs and deployments.

🐂 Toros An implementation of Nix in Rust. Syntax support: With NixEL Interpreter support: Int Binding (aliasing) Let-in (flat bindings without interp

replaces fixed-sized string prefixes & whole sections in binaries for fast, debuggable, reproducible builds

Replacing fixed-sized string prefixes in binaries to refix them to their build context Here's the long story about what refix does and why you'd want

Bring the power of pre-signed URLs to your apps. Signway is a gateway for redirecting authentic signed URLs to the requested API
Bring the power of pre-signed URLs to your apps. Signway is a gateway for redirecting authentic signed URLs to the requested API

A gateway that proxies signed requests to other APIs. Check the docs for more info. If you are looking for the managed version checkout this link http

A Rust CLI tool that helps you enforce Git policies through Git hooks both server and client side

GitPolicyEnforcer This is a command line utility written in Rust, that helps you utilize Git hooks, to enforce various policies. It currently supports

A git sub-command to view your git repository in the web browser
A git sub-command to view your git repository in the web browser

git-view A git sub-command to view your git repository in the web browser! About Are you also frustrated from moving your hands away from the keyboard

use your GitHub SSH keys to authenticate to sshd
use your GitHub SSH keys to authenticate to sshd

aeneid If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH! What / How? The

A floating, tag-based window manager written in Rust
A floating, tag-based window manager written in Rust

worm worm is a floating, tag-based window manager for X11. It is written in the Rust programming language, using the X11RB library. Install cargo buil

Authenticate to Minecraft using the Microsoft Authentication Scheme from Rust.

Authenticating to Minecraft with the Microsoft Authentication Scheme from Rust This program showcases an implementation of the microsoft authenticatio

Supertag is a tag-based filesystem, written in Rust, for Linux and MacOS
Supertag is a tag-based filesystem, written in Rust, for Linux and MacOS

Supertag is a tag-based filesystem, written in Rust, for Linux and MacOS. It provides a tag-based view of your files by removing the hierarchy constraints typically imposed on files and folders. In other words, it allows you to think about your files not as objects stored in folders, but as objects that can be filtered by folders.

A WHATWG-compliant HTML5 tokenizer and tag soup parser

html5gum html5gum is a WHATWG-compliant HTML tokenizer. use std::fmt::Write; use html5gum::{Tokenizer, Token}; let html = "title hello world/tit

Releases(v0.2.0)
Owner
Software supply-chain security. Formerly vulnerability research. Maintains packages in Arch Linux, Alpine, Debian. Steals food at conferences.
null
Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs

backseat-signed Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs. This

null 25 Apr 17, 2024
Dependency lockfiles for a reproducible build environment 📦🔒

repro-env Imagine you had a tool that takes a config like this: # repro-env.toml [container] image = "rust:1-alpine3.18" and turns it into something l

null 16 Jul 11, 2023
Git FIDO Helper - Sign your Git commits with multiple resident SSH keys

gfh Git FIDO helper, or God Fucking Help me. gfh is a tool for helping you sign your commits in Git with resident SSH keys stored on multiple FIDO dev

Michael Mitchell 16 Nov 30, 2022
Convenience crate for verifying crypto-signed messages

signature-verifier This crate provide an easy way to verify Solana and Ethereum wallet-signed messages. Installation Add the crate to your Cargo.toml

Tim Plotnikov 3 Apr 2, 2024
An example smart contract that builds on top of xyz

xyz Guestbook Tutorial Contract This repository contains an example smart contract that illustrates how to build on top of the xyz NFT contract. This

null 5 Apr 4, 2022
An HTTP proxy for assets (mainly images) to route requests through an always-encrypted connection.

camo-rs camo-rs is a frontend-compatible Rust-re-implementation of the now archived NodeJS-based atmos/camo - an HTTP proxy for assets (mainly images)

Dennis Schubert 7 Dec 8, 2022
Cosmwasm in Cosmwasm through ComposableFi/cosmwasm-vm

Cosmwasmception Running Fastest way to run this contract would be through our vm. But note that our vm runs an already built version this contract, so

Abdullah Eryuzlu 3 Oct 5, 2022
My attempt at learning Solana program (smart contract) development through RareSkill's Solana course.

60-days-of-solana My attempt at learning Solana program (smart contract) development through RareSkill's Solana course. Originally, I was trying to cr

Jasper 3 Feb 25, 2024
🔗 Tool for rebasing a chain of local git branches.

git-chain Tool for rebasing a chain of local git branches. Motivation Suppose you have branches, each depending on a parent branch (usually called "st

Alberto Leal 10 Jul 15, 2022
VSDB is a 'Git' in the form of a KV database.

VSDB VSDB is a 'Git' in the form of a KV database. Based on the powerful version control function of VSDB, you can easily give your data structure the

null 7 Oct 11, 2022