Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122889
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id D4DF61A009C
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:48:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712083714; bh=SgR0NMBno0YMv4zsCS+ArNH85VoDcriwDIgAyo4y8To=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=aCR0s28N12EjA0pLBg9vgXwxQuVBf5GJNb1pSlZW8wkmoPWFNpanW0C9qh4oIKPhN
	 XB31sN6aD2F3tN2Ja8RybNnhtS/iF2TgyIsX+HNxMq9h7u3vHg0G/abKi19yxd0Hf1
	 DI6qcUplqjzd1AfSyai0rc9MQvFI8NS22Yxx7qJCPAzGuOk2aKnwoUZa+6SFhNzbJ1
	 ugOrcdL7fVwX9McCjTupCduRUjAbl9VhHwZrF4jpJDaxZcnDccLgQbVc18WcT8QN/R
	 eTegYE7zqyXrBXm09JAORSVXTvxuQpC3aaK+ClzgBNa7YSa061Bs5YPKeUWvgR3it3
	 yw3zskAU5/bCw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 885081805DC
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:48:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <imsop.php@rwec.co.uk>
Received: from fout6-smtp.messagingengine.com (fout6-smtp.messagingengine.com [103.168.172.149])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:48:32 +0000 (UTC)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailfout.nyi.internal (Postfix) with ESMTP id 34944138005B
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:48:04 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Tue, 02 Apr 2024 14:48:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm2; t=1712083684; x=1712170084; bh=LtOBLfX/R/
	Zcqc8/oalP/U5SrOUH8dL936Hi3W/V+b4=; b=C06z/NpAR0srYy8OYrtbDogZEY
	iw38QBKVGXvgp+16KYaJCH7gHN++sj7fTxNmm6mY6RTMvZWa5rEQcfvWfRhWzj3S
	2vNs4HogwlDblIsCVcEF4mJY522VBTyPqpDcx7y1k4MHzr8WmXHRtqwQ3KEzWrkZ
	OTq7ee0N9q5l5hGlWwlWkO3Idf4FxI6vwP9L27HOoIAzhCBI24TNagyljnuR8fVg
	eISSgX4YSs9bCPZs117PNyb5mHbrS18wjFHMfedJI4hXq1t83/87C54p7eVRHlKa
	1vO6L9P9DSUIrkG3giktxyXOY7OXOr6kJo2qKHNcX+X8o/sMvYJC/s6ia0qw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; t=1712083684; x=1712170084; bh=LtOBLfX/R/Zcqc8/oalP/U5SrOUH
	8dL936Hi3W/V+b4=; b=DofkVyjQgemrntQ13ygLU/mtoJUBMxi0CTZyN6Nq+Q/H
	LdVoIAiQGN8cXC3IdzHSF0RN0k/9EnxoV4qEDo+602GEU7ZZ87QqISTHycPDnPGB
	2QuZAwUHCzZsTngMTwQAWifpOf7tpLW4Gp1EwSdnxkW3+GMlzjUT29mq1ovm+KLT
	03lTOROKOK1zCWRmoIj5JgPbjD7Rz/9tcMZ1vqOxk3Rx46iHnv1UsRbwTC8gEAPt
	2g7UmPNL1IeVktScty36T4V/Faf422sWX/AS/WAbFkmxmNQFP/uKrwwNbe4n7Jqv
	cJu17eNc7rhrL/0cAbCvasazTn6iOjBRCgRL/NUvCQ==
X-ME-Sender: <xms:41IMZvJSA1w7ubdDhCPhtoKNTvsT9uy6qySgZdXsFo0MDFkP25zrYQ>
    <xme:41IMZjLZ_cRsaNM0_l7Z7M2RXYRKF89qBkOpEZGX8AN6TySup0wEGRaWsHfqFfq7G
    qJyRHGXSXxIltqmqiQ>
X-ME-Received: <xmr:41IMZnu-sH6CIq110OoWEdq-HzWutmFjMnXka-dc_t8WHNjJm3CUxep8lfJLuZHkMEkSop-C0ffINU4akiPqVYXg2_mmmyjWvQ0CgiMOAcpS_46BYiH2AX_h>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefvddguddvlecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurheptgfkffggfgfuvfhfhfgjsegrtd
    erredtvdejnecuhfhrohhmpedftfhofigrnhcuvfhomhhmihhnshculgfkoffuohfrngdf
    uceoihhmshhophdrphhhphesrhifvggtrdgtohdruhhkqeenucggtffrrghtthgvrhhnpe
    eggffhvdegfeeuffetkeekleefuddvgeejteduveevteegvdefjeelfeegtdekveenucff
    ohhmrghinhepphhhphdrnhgvthenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh
    epmhgrihhlfhhrohhmpehimhhsohhprdhphhhpsehrfigvtgdrtghordhukh
X-ME-Proxy: <xmx:41IMZoYIq0RX1DBatjzXuGyxwtK_STbdFwG554RUcTmss-15bSul3w>
    <xmx:41IMZmbJRjKOOcEkasbmNah7JeBt05eGYKt_damiuOznCDWIBZrpiQ>
    <xmx:41IMZsAABKCZMhM3KgewHYwIAfmjpM2a3F0nTPpwOtN5hMuAi-hSJw>
    <xmx:41IMZkZj_l1JaPGro7ZBPkv9lUAcp6Z3IItezGb-dCMu6XU9BoqBvQ>
    <xmx:5FIMZlldv6T7GLInTHqDHZSEed3vZXSlVPpmJ18NhYXKt2zVdBHY1MRP>
Feedback-ID: id5114917:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <internals@lists.php.net>; Tue, 2 Apr 2024 14:48:03 -0400 (EDT)
Content-Type: multipart/alternative;
 boundary="------------xst000WVsXsnFBGZ5pd0KfXL"
Message-ID: <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk>
Date: Tue, 2 Apr 2024 19:48:01 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
To: internals@lists.php.net
References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net>
 <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
Content-Language: en-GB
In-Reply-To: <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]")

This is a multi-part message in MIME format.
--------------xst000WVsXsnFBGZ5pd0KfXL
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 02/04/2024 18:27, Ilija Tovilo wrote:
> If your GitHub account is compromised,
> [...] the attacker may simply register their
> own gpg key in your account, with the commits appearing as verified.
>
> If your ssh key is compromised instead, and you use ssh to sign your
> commits, the attacker may sign their malicious commits with that same
> key they may use to push.


The key point (pun not intended) is that git doesn't record who pushed a 
commit - pushing is just data synchronization, not part of the history. 
What it records is who "authored" the commit, and by default that's just 
plain text; so if somebody compromises an SSH key or access token 
authorised to your GitHub account, they can push commits "authored by" 
Derick, or Nikita, or Bill Gates, and there is no way to tell them apart 
from the real thing.

In fact, you don't need to compromise anybody's key: you could socially 
engineer a situation where you have push access to the repository, or 
break the security in some other way. As I understand it, this is 
exactly what happened 3 years ago: someone gained direct write access to 
the git.php.net server, and added commits "authored by" Nikita and 
others to the history in the repository.

If all commits are signed, a compromised key or account can only be used 
to sign commits with that specific identity: your GitHub account can't 
be used to sign commits as Derick or Nikita, only as you. The impact is 
limited to one identity, not the integrity of the entire repository.

Regards,

-- 
Rowan Tommins
[IMSoP]

--------------xst000WVsXsnFBGZ5pd0KfXL
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">On 02/04/2024 18:27, Ilija Tovilo
      wrote:</div>
    <div class="moz-cite-prefix">
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">If your GitHub account is compromised,
[...<span style="white-space: normal"></span>] the attacker may simply register their
own gpg key in your account, with the commits appearing as verified.

If your ssh key is compromised instead, and you use ssh to sign your
commits, the attacker may sign their malicious commits with that same
key they may use to push.</pre>
      </blockquote>
    </div>
    <br>
    <p><br>
    </p>
    <p>The key point (pun not intended) is that git doesn't record who
      pushed a commit - pushing is just data synchronization, not part
      of the history. What it records is who "authored" the commit, and
      by default that's just plain text; so if somebody compromises an
      SSH key or access token authorised to your GitHub account, they
      can push commits "authored by" Derick, or Nikita, or Bill Gates,
      and there is no way to tell them apart from the real thing.<br>
    </p>
    <p>In fact, you don't need to compromise anybody's key: you could
      socially engineer a situation where you have push access to the
      repository, or break the security in some other way. As I
      understand it, this is exactly what happened 3 years ago: someone
      gained direct write access to the git.php.net server, and added
      commits "authored by" Nikita and others to the history in the
      repository. <br>
    </p>
    <p>If all commits are signed, a compromised key or account can only
      be used to sign commits with that specific identity: your GitHub
      account can't be used to sign commits as Derick or Nikita, only as
      you. The impact is limited to one identity, not the integrity of
      the entire repository.</p>
    <p>Regards,<br>
    </p>
    <pre class="moz-signature" cols="72">-- 
Rowan Tommins
[IMSoP]</pre>
  </body>
</html>

--------------xst000WVsXsnFBGZ5pd0KfXL--