Unfortunately, there isn’t a way to stop someone from spoofing a commit with your name and email. However, from a security point of view, it’s a problem. This is due to the distributed nature of Git, which allows anyone to push anyone else’s commits around. So if you set the author on the commit to be a valid email address, it will look like they made the commit. Git will accept any name and email address as the commit author and so will GitHub. It may sound difficult, but it’s actually a very trivial process. Why should we sign Git commits?Ī few days ago, I was at NDC Security and saw a talk by Phil Haack where he spoofed a “malicious” commit to look like it was made by Troy Hunt (who was also speaking). I went from not having a GPG key installed locally through to seeing my commits marked as Verified on GitHub. This tutorial walks you though the process I took to set up Git commit signing with my Keybase GPG key. Then, once you’ve your commits are signed, GitHub provides a nice interface for verifying commits have been signed and by whom. If you’re a Keybase user, it’s pretty easy to use your Keybase GPG key for signing your Git commits. It uses the author’s GPG key to leave a signature in the commit that can be checked later. It is an optional feature that provides a way for the author of a commit to prove ownership. A relatively unknown and underused feature of Git is the ability to cryptographically sign commits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |