Hi, all:

If I know that a project uses tag signing, would "git clone" followed by "git verify-tag" be meaningful without a "git fsck" in-between? I.e. if an attacker has control over the remote server, can they sneak in any badness into any of the resulting files and still have the clone, checkout, and verify-tag return success unless the repository is fsck'd before verify-tag?
I assume that it would break during the checkout stage, but I wanted to 
verify my assumptions.
Thanks,
-K

Reply via email to