3

If I use GPG to sign a commit (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) and then check the contents of the commit object I just created:

git commit -a -S -m "This is a Signed commit"
git cat-file -p HEAD

I get:

tree 1265193cc831c2bd47cedbb27f029e5d45fa0bb039d5bb5136f152a3e88c07b0
parent 16625976433ec56a26feb1478051b28b78684a3d68f475221afcfae2a7aaaa0d
author John Doe <john.doe@internet.www> 1612379624 +0100
committer John Doe <john.doe@internet.www> 1612379624 +0100
gpgsig-sha256 -----BEGIN PGP SIGNATURE-----

 iQGzBAABCAAdFiEELgGt+L8yg4keIDJDpyYj1XHdLa8FAmAa9egACgkQpyYj1XHd
 La+BogwA0VEoobCJPRLk2olHzW6iO9ioyxIrrW6uPAcLv6uernxrGDK6odYuywED
 XeVEu3L9/HLG8MYSqgAGKDWfiOphRi5Lw1fLnSA3MNC1uh18OqdmD/PjyP9hMnbC
 XayugJJ2dPkUHADxeDoQOGHg6wmfn+/4IsHit74YsAYXcDz1/QIHrEGMPCwROGCX
 Nb1srMw2/8e+NM9U5h5KSw5ZYmBtSynIWCsHBC2w8eqvuhKMmKxbGV3izV7eOTfl
 R8aC2FJSuSd/MhGprAki2sW1efiNr1EJNt/hvP2S9Eq/fkLUlVuWk5cyg/8tDJX5
 VQO5RqCTR/Yz5mleoKMOeBBARzWK/r1l0bVQZYoraO8I8zxuLt5gkxqvqTOrhOKy
 uTX58BdQHSlx1fU02UuPruimpbSZOBhwPFeVXl8Kj3zUWLNpTeQXZ/MSNZOiR1qF
 xMdqKbuzh53B3tqvd02Cy7jdIssT8DwLM5V3IjYfv/GG/iQOE7BHGxYbPgEkv4e6
 KvUBxEjj
 =8gBZ
 -----END PGP SIGNATURE-----

This is a Signed commit

What exactly is the digest that is being signed? If the signature is embedded in the commit object, then it can hardly be the commit hash itself - so is it the tree hash? Or something else? Does that in turn mean that the commit message is not signed and could be tampered with?

Note: I'm using a git repository here that was initialized with --object-type sha256 to use SHA-256 based hashes (by default git uses SHA-1), but my question applies to git repositories with SHA-1 hashes as well (in case gpg signature works differently for SHA-1 and SHA-256 repositories)

matthias_buehlmann
  • 4,641
  • 6
  • 34
  • 76
  • 4
    https://security.stackexchange.com/questions/243347/when-i-sign-a-git-commit-what-is-my-signature-actually-based-on –  Feb 03 '21 at 19:43
  • 1
    It's really very much easier than you're making it seem. The digest is the hash the basic commit would have. The resulting commit's hash is of the basic-commit-plus-signature. – jthill Feb 03 '21 at 19:51
  • @jthill then how would I recover the original digest if I'd want to verify the signature manually? remove the signature between header and commit message and then calculate the SHA-1 (or SHA-256) of the result? – matthias_buehlmann Feb 03 '21 at 19:58
  • 1
    Try it and see. – jthill Feb 03 '21 at 20:13

1 Answers1

2

The data you're signing is the entirety of the commit or tag object, minus the contents of any multi-line headers starting with gpgsig, and, in the case of tags, the contents of the trailing tag signature. So, basically the contents of the object minus the signature portions themselves. That includes the message.

Note that the hash of the object includes the signature, so the signature cannot be removed or changed (or additional ones added) unless you rewrite history.

Git 2.30 and before had a bug where they would incorrectly flag a commit or tag with multiple signatures as being invalid. There's a patch that will likely be included in the next version to fix that.

If you put the commit without the signature portion into a file called commit and put the signature portion (minus the leading whitespace) into a file called commit.asc, you can verify the signature with gpg --verify commit.asc.

bk2204
  • 64,793
  • 6
  • 84
  • 100