DEV Community

loading...

Spoof a commit on GitHub. From Anyone.

agrinman profile image Alex Grinman ・2 min read

Did you know that anyone can commit as you on GitHub? If you don't believe me, just browse through this repository's forged commits or use our tool to forge a commit for yourself.

Try it for yourself: spoof.krypt.co


How does it work?

Open your ~/.gitconfig

[user]
    name  = Ben Bitdiddle
    email = bbitdiddle@mit.edu
Enter fullscreen mode Exit fullscreen mode

Change name and email to any value you want.

If email matches the email of another GitHub user, that user's picture will show up next to the commit, and
when you click on it will take you to their real GitHub profile.

Next time you see a commit on GitHub from Ben -- don't trust that Ben actually authored it.

How can do prove that my commits are really mine?

Anyone can set the “author” of a Git commit to any value.
To prove that you authored a commit you must attach a digital signature to it.
The only way someone knows it was really your commit is to verify the commit's signature.

GitHub supports verifying & signing Git commits

Check out this signed commit: kryptco/kr@0cca333.

If a commit doesn’t have a green “Verified” badge, then it could have been authored by anyone!

GitHub verifies signed commits, and Krypton makes signing commits easy.
Get your green verified badge, https://krypt.co.

Let's see some well known forgeries...

"I love windows and subversion!" -- @torvalds on #1eb0d8

"You should really use gitlab.com, it's way better." -- @schacon on #730c7e

Anonymously Forged Commits

Browse all of the forged commits from the community here! https://github.com/git-forge/fraudulent/commits/master

Discussion (14)

pic
Editor guide
Collapse
citizen428 profile image
Michael Kohl • Edited

There was a pretty lengthy response by Linus on this whole issue on the Git mailing list in 2009:

git.661346.n2.nabble.com/GPG-signi...

I'm only gonna quote parts here:

[Commit signing is] always going to be inferior to just adding a tag.

The thing is, what is it you want to protect? The tree, the authorship,
the committer info, the commit log, what?

And it really does matter. Because the signature must be over some part of
the commit, and since the SHA1 of the commit by definition contains
everything, then the safest thing is always to sign the SHA1 itself:
thus a tag.

Anything else is always bound to only sign a part of the commit. What
part do you feel like protecting? Or put another way, what part do you
feel like not protecting?

So the way git does signatures protects everything. When you do a tag with
"git tag -s" on a commit, you can absolutely know that nobody will ever
modify that commit in any way without the tag signature becoming invalid.

And perhaps equally interestingly, that signature is now also easily
separable from the history - which is interesting if you want to
distribute your cryptographic parts separately (for example, you only use
it internally within a company or group, to mark some group-specific
issues).

And:

Btw, there's a final reason, and probably the really real one. Signing
each commit is totally stupid. It just means that you automate it, and you
make the signature worth less. It also doesn't add any real value, since
the way the git DAG-chain of SHA1's work, you only ever need one
signature to make all the commits reachable from that one be effectively
covered by that one. So signing each commit is simply missing the point.

Collapse
phlash909 profile image
Phil Ashby

[full disclosure - I work for an identity intelligence company!]

Thanks for the head up Alex, although I would question the use of Github accounts as a source of trusted identity (suggested by other comments below via Github's help pages). These are likely to be trivially forge-able too.

Git's support for GPG keys to strengthen the trust in a commit is based on the assumption that the committer already owns a trusted GPG identity (where the trust is obtained through other parties attesting to their identity / key signing, in the usual GPG way).

Where this isn't possible, it may be better to look at federation with trusted identity providers, such as those who assure IDs for banks, governments, etc. Depends what the value of that commit is I guess!

Collapse
ferricoxide profile image
Thomas H Jones II

Several months back, I was setting up a new project on GitHub. As I was configuring my protected branches, I noticed a checkbox for "Require signed commits". I'm one of those obsessive box-checker freaks. So, when I noticed this new box, I clicked on the link to see what it was about and how to make it so I could check the box. Been signing commits ever since then (and Slack-shaming teammates whose commits don't have the green Verified box).

Collapse
adityavarma1234 profile image
Aditya Varma

Why is the repository disabled? github.com/git-forge/fraudulent

Collapse
agrinman profile image
Alex Grinman Author

It's unfortunate -- I guess GitHub decided it was against their ToS. I don't agree personally, and we made it very clear that spoof.krypt.co was a demonstration, but we must respect their decision (and ability) to do this :/

Collapse
jfinstrom profile image
James Finstrom

itsafeature 😁

I work for a major open source project and commit patches from other developers. It is their code they get credit. Committing to your repos should generally be restricted anyway. Some places use signed commits as a form of CLA bit over all this is a necessary thing.

Collapse
crawlingcity profile image
crawlingcity

This works on bitbucket too, had a coworker commiting as myself for a while because my name and email was somehow configured inside a docker container

Collapse
mgh87 profile image
Martin Huter

Thanks for spreading the word on signing git commits.

Know all of it, but still enjoyed reading.

Collapse
rhymes profile image
rhymes

Didn't know! Thanks!

Is this the solution? help.github.com/articles/signing-c...

Collapse
agrinman profile image
Collapse
ankurk91 profile image
Ankur Kumar

Here is how to setup GPG for Github-

gist.github.com/ankurk91/c4f0e23d7...

Collapse
leob profile image
leob

Awesome, didn't realize this!

Collapse
qm3ster profile image
Mihail Malo

The repo is down :(

Collapse
jrtibbetts profile image
Jason R Tibbetts • Edited

Can you use this method to spoof a user with more permissions than you normally have, such as someone with PR merge permission?

(Asking for a friend. ;))