Git provides the option to sign annotated tags with your GPG private key, but what is wrong with just accepting a tag’s claimed origin? What damage could a spoofed tag do when the tag does not alter the commit?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Git provides the option to sign annotated tags with your GPG private key, but what is wrong with just accepting a tag’s claimed origin? What damage could a spoofed tag do when the tag does not alter the commit?
That you have no guarantee that it’s correct, you’d have to put trust in every single person who has access to the repo (authorized or not) not to falsely create a tag. Signing guarantees (at least as much as GPG can offer) that the person who created the tag is who you think they are.
None. You seem to have gotten two different ideas confused here. A tag and a commit are completely separate objects—a tag points to a commit, but a tag is not a commit. Thus, a tag will never alter a commit. This is potentially where more danger lies: a falsified tag will not change the commit history unexpectedly, and would more easily go unnoticed.