{"id":17310498,"url":"https://github.com/kpcyrd/auth-tarball-from-git","last_synced_at":"2025-04-14T14:22:34.479Z","repository":{"id":47436544,"uuid":"497117708","full_name":"kpcyrd/auth-tarball-from-git","owner":"kpcyrd","description":"Authenticate a tarball through a signed tag in a git repository (with reproducible builds)","archived":false,"fork":false,"pushed_at":"2022-05-28T01:58:59.000Z","size":14,"stargazers_count":17,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-28T03:23:01.730Z","etag":null,"topics":["cryptography","reproducible-builds","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://vulns.xyz/2022/05/auth-tarball-from-git/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpcyrd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["kpcyrd"]}},"created_at":"2022-05-27T19:39:45.000Z","updated_at":"2025-01-27T17:56:50.000Z","dependencies_parsed_at":"2022-08-23T10:10:16.985Z","dependency_job_id":null,"html_url":"https://github.com/kpcyrd/auth-tarball-from-git","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fauth-tarball-from-git","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fauth-tarball-from-git/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fauth-tarball-from-git/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fauth-tarball-from-git/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpcyrd","download_url":"https://codeload.github.com/kpcyrd/auth-tarball-from-git/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248125593,"owners_count":21051771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","reproducible-builds","supply-chain-security"],"created_at":"2024-10-15T12:37:23.978Z","updated_at":"2025-04-14T14:22:34.453Z","avatar_url":"https://github.com/kpcyrd.png","language":"Rust","funding_links":["https://github.com/sponsors/kpcyrd"],"categories":[],"sub_categories":[],"readme":"# auth-tarball-from-git\n\nAuthenticate a tarball through a signed tag in a git repository (with\nreproducible builds).\n\nThe signed git tag contains a hash of a commit object:\n\n```\nobject a631953b1241368b5f6bc471f9d89948f985fcb3\ntype commit\ntag openpgp/v1.9.0\ntagger Justus Winter \u003cjustus@sequoia-pgp.org\u003e 1653320477 +0200\n\nopenpgp: Release 1.9.0.\n-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCgAdFiEEJWpOVeSnLZetJGjniNx+MzhfeR0FAmKLqx0ACgkQiNx+Mzhf\neR1w7gf+MSS1Su+kclHSKpVCg03TTyVdg+zx95FTlQjBtGaSRMbOAoWvCX53hZm9\n/w2YZJdHTGAR50hFj78xnQjPg8bSEYrQD6HaMc/TYlFkrQcPQULCV8aNiiTlKPUC\nGC0L8OecqG1tILejLtWkJpoSAh+oAK0QKjgyy3bYZU+KzCinV2+TC8LaAvcBSngt\nR/Xu9g8X6CYf88mfO+IAyGeaDD+JMyQFp6q1fgzlFx/lA31iIg49vf1b9yQo2fxA\ny8hnYu+dztZNMRcEL7Cl5UgFnT4tDv/rDlNpM136KHyvrXaqYC0GhNEoAsXX975L\n9o0OzzRPOAxJj9/4Wigvu/fhOWRXSA==\n=8qk5\n-----END PGP SIGNATURE-----\n```\n\nIf we don't have a signed tarball but we do have a signed git tag we can use\nthis signature to prove authenticity of the tarball. To do this we verify the\nsignature, then attempt to generate an identical tarball from the commit\nspecified in the tag. This is possible because the output of `git archive` is\ndeterministic as long as the parameters are identical.\n\nUsing the source code from the tarball is preferable because it can be pinned\nwith modern cryptographic hash functions while git can only offer sha1.\n\nSignature verification is done with [sequoia-pgp](https://sequoia-pgp.org/)\ninstead of gpg.\n\n## ⚠️ Security Considerations ⚠️\n\nSigned git tags only authenticate the **tag name**, not the **repository url**. A\n`v0.1.0` tag can be replayed from one repository into another if they are both\nsigned by the key provided in `--keyring`.\n\nThe hash in the signed tag is a **SHA1** hash, which is known to be problematic\n([2005], [2017], [2020]). Regardless of the quality of the pgp signature,\nverifying a tarball with git can only provide sha1-tier cryptographic\nproperties.\n\n[2005]: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\n[2017]: https://shattered.io/\n[2020]: https://www.ntu.edu.sg/news/detail/critical-flaw-demonstrated-in-common-digital-security-algorithm\n\n## Usage\n\n```sh\n# Sequoia\n$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/CBCD8F030588653EEDD7E2659B7DD433F254904A\n$ wget https://gitlab.com/sequoia-pgp/sequoia/-/archive/openpgp/v1.9.0/sequoia-openpgp-v1.9.0.tar.gz\n$ auth-tarball-from-git --keyring CBCD8F030588653EEDD7E2659B7DD433F254904A --tag openpgp/v1.9.0 https://gitlab.com/sequoia-pgp/sequoia sequoia-openpgp-v1.9.0.tar.gz\n[2022-05-27T19:28:50Z INFO  auth_tarball_from_git] Cloning repository from \"https://gitlab.com/sequoia-pgp/sequoia\"\n[2022-05-27T19:28:54Z INFO  auth_tarball_from_git] Tag successfully verified\n[2022-05-27T19:28:54Z INFO  auth_tarball_from_git] Reproducing archive...\n[2022-05-27T19:28:55Z INFO  auth_tarball_from_git] Reading input that should be verified...\n[2022-05-27T19:28:55Z INFO  auth_tarball_from_git] Comparing...\nOK\n\n# Monero\n$ wget https://github.com/monero-project/monero/archive/refs/tags/v0.17.3.2.tar.gz\n$ wget https://github.com/monero-project/monero/blob/master/utils/gpg_keys/luigi1111.asc\n$ auth-tarball-from-git --keyring luigi1111.asc --tag v0.17.3.2 --prefix monero-0.17.3.2 https://github.com/monero-project/monero v0.17.3.2.tar.gz\n[2022-05-27T19:30:03Z INFO  auth_tarball_from_git] Cloning repository from \"https://github.com/monero-project/monero\"\n[2022-05-27T19:30:06Z INFO  auth_tarball_from_git] Tag successfully verified\n[2022-05-27T19:30:06Z INFO  auth_tarball_from_git] Reproducing archive...\n[2022-05-27T19:30:08Z INFO  auth_tarball_from_git] Reading input that should be verified...\n[2022-05-27T19:30:08Z INFO  auth_tarball_from_git] Comparing...\nOK\n```\n\n## Dependencies\n\nNeeds `sqv` from the sequoia-pgp project to be installed to verify pgp\nsignatures.\n\n## Funding\n\nThis project was funded by myself with [github\nsponsors](https://github.com/sponsors/kpcyrd).\n\n## License\n\nGPLv3+\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Fauth-tarball-from-git","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpcyrd%2Fauth-tarball-from-git","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Fauth-tarball-from-git/lists"}