Reputation: 83
Why sign Git tags?
Git provides the option to sign annotated tags with your GPG private key, but what is wrong with just accepting a tag's claimed origin? What damage could a spoofed tag do when the tag does not alter the commit?
Upvotes: 8
Views: 1580
Answers (1)
Reputation: 96994
What is wrong with just accepting a tag's claimed origin?
That you have no guarantee that it's correct, you'd have to put trust in every single person who has access to the repo (authorized or not) not to falsely create a tag. Signing guarantees (at least as much as GPG can offer) that the person who created the tag is who you think they are.
What damage could a spoofed tag do when the tag does not alter the commit?
None. You seem to have gotten two different ideas confused here. A tag and a commit are completely separate objects—a tag points to a commit, but a tag is not a commit. Thus, a tag will never alter a commit. This is potentially where more danger lies: a falsified tag will not change the commit history unexpectedly, and would more easily go unnoticed.
Upvotes: 11
Related Questions
- How to configure Git to always sign tags?
- What data is being signed in git signed tags?
- Git GPG error signing tags
- Should I keep gitconfig's "signingKey" private?
- Why are there special symbols on git's gpg-signed commits
- Sign git commits with GPG
- What is the point in signing tags in git?
- What "Everyone Must Sign" in Git SCM book about Sign mean?
- Git: Explain why it is not silly to Sign Commits/Tags using a PGP Key
- Why should someone tag in Git?