Menu
Git provides the option to sign annotated tags with your GPG private key, but what is wrong with just accepting a tag's claimed origin? What damage could a spoofed tag do when the tag does not alter the commit?
934
What is wrong with just accepting a tag's claimed origin?
That you have no guarantee that it's correct, you'd have to put trust in every single person who has access to the repo (authorized or not) not to falsely create a tag. Signing guarantees (at least as much as GPG can offer) that the person who created the tag is who you think they are.
What damage could a spoofed tag do when the tag does not alter the commit?
None. You seem to have gotten two different ideas confused here. A tag and a commit are completely separate objects—a tag points to a commit, but a tag is not a commit. Thus, a tag will never alter a commit. This is potentially where more danger lies: a falsified tag will not change the commit history unexpectedly, and would more easily go unnoticed.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
