Hi, all:
If I know that a project uses tag signing, would "git clone" followed by
"git verify-tag" be meaningful without a "git fsck" in-between? I.e. if
an attacker has control over the remote server, can they sneak in any
badness into any of the resulting files and still have the clone,
checkout, and verify-tag return success unless the repository is fsck'd
before verify-tag?
I assume that it would break during the checkout stage, but I wanted to
verify my assumptions.
Thanks,
-K
- Is git clone followed by git verify-tag meaningful? Konstantin Ryabitsev
-