npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

gitsz

v3.0.4

Published

Git tags with higher level of security

Downloads

13

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sambachasambacha

Keywords

gitsecuretagsha256gpgsignatureverifysign

Readme

Motivation

$GIT_TAG should be the primary artifact

With the current design, it is necessary to use Git to clone the repository and use Git to walk the trees. This means that Git is exposed to untrusted data before the signature is verified, making it part of the TCB (Trusted Computing Base).

This is not desirable because Git has a large footprint in the engineering ecosystem

At least, the recommended steps should verify the signature before a checkout is performed (which is probably the most risky operation because it involves partially attacker-controlled file system operations).

The point of signing a git commit is to authenticate history to future consumers so the fact that history was tampered with deliberately needs to be preserved in the signature because it is possible to alter the exact semantics/content of the commit.

git uses SHA-1 hashes when signing tag. SHA-1 is generally deprecated and is not a collision-safe anymore (though, collisions are yet to come pre-image attack is yet to come).

Replacing tarballs

What gitsz (i.e. git-evtag) implements is an algorithm for providing a strong checksum over the complete source objects for the target:

    -commit (- trees - blobs - submodules)
    +commit (+ trees + blobs + submodules)

Then it’s integrated with GPG for end-to-end verification. (Although, one could also wrap the checksum in X.509 or some other public/private signature solution).

This is similar to what project distributors often accomplish by using git archive, or make dist, or similar tools to generate a tarball, and then checksumming that, and (ideally) providing a GPG signature covering it.

If the checksum is not reproducible, it becomes much more difficult to easily and reliably verify that a generated tarball contains the same source code as a particular git commit.

Cannonical Git Commit

    $ GIT_AUTHOR_DATE="Thu, 01 Jan 1970 00:00:00 +0000" GIT_COMMITTER_DATE="Thu, 01 Jan 1970 00:00:00 +0000" git commit --allow-empty -m 'Initial commit'

Usage

    Usage: gitsz [-s | -u <keyid>] [-m <msg>]
                          <tagname> [<commit> | <object>]

    Commands:
      hash  print hash of repository contents

    Options:
      -v, --verify  Verify the gpg signature of a given tag                [boolean]
      --insecure    Do not sign the tag                                    [boolean]
      -h, --help    Show help                                              [boolean]
generate tag

git secure-tag -s v2.5.0

verify tag
    $ git secure-tag -v v2.5.0
    gpg: Signature made Wed Oct 28 00:16:58 2020 PDT
    gpg:                using RSA key C00B2090F23C5629029111CBF5D2A7216C51FB94
    gpg: Good signature from "sam bacha <[email protected]>" [ultimate]
    gpg:                 aka "Freight Trust Corp <[email protected]>" [ultimate]
    Good Git-EVTag-v0-SHA512 hash
gitsz
    $ gitsz hash
    bdf3cd8f2a4e29a5cf86cbd7fe815583b0e78b4efe4759fc7204b5dfb6fb928fde138f7fcfcae19e241b25d210b3c3147cb7b5327654ae3dd1ae02d4908e4671

Reference Case Study

github/sambacha/BPBDTL/commit/21687a1a7d5f3c26e9c06fa23547fca4a09178a2

  • In this scenario, I signed a commit at approx. 0 UNIX EPOCH time using another user’s credentials, and by credentials I mean just using their email@address and user name. No other passwords, etc, is required. Although GitHub does not say verified for the commit, it displays the user’s avatar, and may be overlooked without more careful examination.

Implementation

gitsz runs cat-file recursively for each entry (sorted alphabetically), enters submodules (if present), and hashes file/directory names, file contents, and submodules (recursively again) into a resulting Git-EVTag-v0-SHA512: ... SHA512 digest.

Installation

npm install -g gitsz

Usage

# Sign
gitsz v1.20.7 -m "My tag annotation"

# Verify
gitsz -v v1.20.7

Implementation and Contributors

Largely inspired by:

@gwalters/git-evtag

Fedor Indutny, 2016.

License

SPDX-License-Identifier: MIT