[Cryptech Core] git signed push

Rob Austein sra at hactrn.net
Thu May 7 11:29:01 UTC 2015


At Thu, 07 May 2015 09:01:23 +0200, Joachim Strömbergson wrote:
> Randy Bush wrote:
> >> Interesting problem with git signed push: 
> >> https://developer.atlassian.com/blog/2015/05/git-horror-story-loose-nonces/
> >
> >> 
> > sra is lead sysadmin on that machine.  but as far as i can tell,
> > there is not yet an update available to the git port.

Sorry, I'm busy moving to the Bahamas, along with all the money I
collected using this scheme, now that you've found me out.

git is currently at 2.3.5, which was installed less than a month ago.
pkg audit shows no vulnerabilities posted for this version, but 2.4.0
is now the latest, so we'd be picking that up sooner or later.  May as
well do it now.  Dunno whether it includes the signed push nonce fix.

> > and this does not look as if it is a threat to us.
> 
> That is also my understanding since we use signed commit, not signed
> push. One could use both though.

One could, but signed push doesn't bring any obvious new benefits, and
is not something third parties can audit after the fact, so I don't
think it's all that useful in our case.  Before seeing this report I
would have said it's harmless, apparently not.



More information about the Core mailing list