我想知道git signed标签内究竟签名了什么。我们来分析Linux v4.14-rc3签名。
$ git show v4.14-rc3 | head -n 20
tag v4.14-rc3
Tagger: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Oct 1 14:55:06 2017 -0700
Linux 4.14-rc3
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJZ0WQ6AAoJEHm+PkMAQRiGuloH/3sF4qfBhPuJo8OTf0uCtQ18
4Ux9zZbm81df/Jjz0exAp1Jqk+TvdIS3OXPWcKilvbUBP16hQcsxFTnI/5QF+YcN
87aNr+OCMJzOBK4suN1yhzO46NYHeIizdB0PTZVL1Zsto69Tt31D8VJmgH6oBxAw
Isb/nAkOr31dZ9PI5UEExTIanUt6EywVb0UswA+2rNl3h1UkeasQCpMpK2n6HBhU
kVD7sxEd/CN0MmfhB0HrySSam/BeSpOtzoU9bemOwrU2uu9+5+2rqMe7Gsdj4nX6
3Kk+7FQNktlrhxCZIFN/+CdusOUuDd8r/75d7DnsRK5YvSb0sZzJkfD3Nba68Ms=
=7J2+
-----END PGP SIGNATURE-----
commit 9e66317d3c92ddaab330c125dfe9d06eee268aff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Oct 1 14:54:54 2017 -0700
此GPG签名可解码为:
Old: Signature (Tag 2)
Version: 4
Signature Type: Signature of a binary document. (type 0x00)
Public Key Algorithm: RSA (Encrypt or Sign) (pka 1)
Hash Algorithm: SHA1 (hash 2)
Hashed Sub:
Signature Creation Time Subpacket (sub 2) (4 octets)
Creation Time: Sun Oct 1 21:55:06 UTC 2017
Unhashed Sub:
Issuer Subpacket (sub 16) (8 octets)
Key ID: 79be3e4300411886
Hash Left 16 Bits: ba5a
RSA m**d mod n (2047 bits): 7b05e2a7c184fb89a3c3937f4b82b50d7ce14c7dcd96e6f3575ffc98f3d1ec40a7526a93e4ef7484b73973d670a8a5bdb5013f5ea141cb311539c8ff9405f9870df3b68dafe382309cce04ae2cb8dd728733b8e8d6077888b3741d0f4d954bd59b2da3af53b77d43f15266807ea807103022c6ff9c090eaf7d5d67d3c8e54104c5321a9d4b7a132c156f452cc00fb6acd97787552479ab100a93292b69fa1c18549150fbb3111dfc23743267e10741ebc9249a9bf05e4a93adce853d6de98ec2b536baef7ee7edaba8c7bb1ac763e275fadca93eec540d92d96b87109920537ff8276eb0e52e0ddf2bffbe5dec39ec44ae58bd26f4b19cc991f0f735b6baf0cb
79be3e4300411886关键公共模数和指数是:
modulus=0xa49fe68e2e6b1aab57a351c5c200e5e43b7c3b7a22ea8d1ff38932f6299df4a7b6f13fc713517bdf33b7f013b127a820a48e2db9c76c6ca0a5c1f00954b302046141423aea63d813ac56627faca656edf0af29338af8182e2a379b0f135b82689fdfd6df4a71c35ab5bcdf67f91eb626667edafd5c920d015dba5f0697f47a82ce8f1c96e08e3b7e2bb3f1e9c41531536f63f54159dbc0d737243bfe21ea07f791659937e5a5abcc2ffe9c5fb7c433345830787f68e5b8f8b6743ec0c08b08b883b2012e55ac28380920ddd44cba0214a222a804ac3b6f6d6af558e9e237b346f7220ba62ce241944851b5663227dcca58ddfdf1677cae630af143c25c03b293
e=0x010001
使用python pow()函数得到:
sig = 0x7b05e2a7c184fb89a3c3937f4b82b50d7ce14c7dcd96e6f3575ffc98f3d1ec40a7526a93e4ef7484b73973d670a8a5bdb5013f5ea141cb311539c8ff9405f9870df3b68dafe382309cce04ae2cb8dd728733b8e8d6077888b3741d0f4d954bd59b2da3af53b77d43f15266807ea807103022c6ff9c090eaf7d5d67d3c8e54104c5321a9d4b7a132c156f452cc00fb6acd97787552479ab100a93292b69fa1c18549150fbb3111dfc23743267e10741ebc9249a9bf05e4a93adce853d6de98ec2b536baef7ee7edaba8c7bb1ac763e275fadca93eec540d92d96b87109920537ff8276eb0e52e0ddf2bffbe5dec39ec44ae58bd26f4b19cc991f0f735b6baf0cb
print hex(pow(sig,e,modulus))
0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a05000414ba5aef12cc8a6983ff47f16a515b1da496a39822L
签名中的ASN.1输出表示sha1(1.3.14.3.2.26),哈希值为ba5aef12cc8a6983ff47f16a515b1da496a39822。什么输入数据哈希到该值?我希望shell oneliner能够在Linux内核git存储库中执行时输出该值。
答案 0 :(得分:1)
哪个输入数据哈希到该值?
这些描述(非常好)in Documentation/technical/signature-format.txt。
输入是标记中的所有内容(例如,git cat-file -p <tag-specifier>),除了切割线之间的部分 - 此例外包括切割线本身。此外,-----BEGIN PGP SIGNATURE-----应位于标记的末尾,以便从此处删除到结尾就足够了;几个shell脚本such as contrib/examples/verify-tag.sh,只需退出sed即可删除签名以进行验证。
我希望shell oneliner会输出[unsigned tag]
git-verify-tag.sh代码有一些,但我会在这里复制粘贴:
trap 'rm -f "$GIT_DIR/.tmp-vtag"' 0
git cat-file tag "$1" >"$GIT_DIR/.tmp-vtag" || exit 1
sed -n -e '
/^-----BEGIN PGP SIGNATURE-----$/q
p
' <"$GIT_DIR/.tmp-vtag" |
gpg --verify "$GIT_DIR/.tmp-vtag" - || exit 1
rm -f "$GIT_DIR/.tmp-vtag"
很容易将其中的一部分转换为单行,因为sed将从管道中读取。