
GitHub Commit Forgery - agrinman
https://spoof.krypt.co/?hns=1
======
geofft
There's a very good reason Git (and GitHub) permit this: maintaining credit
when rebasing or making other minor edits. If you submit some code to me, and
I pull --rebase your branch into the project, the resulting commit won't be
byte-for-byte identical to the one you sent me. At the very least, the parent
commit pointer needs to be different, and Git will also update the committer
(to myself) and commit timestamp. Since git stores trees, not diffs, the
resulting tree will probably be different, and if there are merge conflicts,
then the diff itself will also be different from the diff you sent me. If I
fix a typo in a comment or something and then incorporate the commit, that
will also be different.

If Git implemented something with commit signing as a matter of course, this
functionality would be broken. I couldn't directly attribute the commit to
you; it would be signed with my key instead, because your original signature
won't be valid. I could of course put your name in the commit message, but
then the "forgery" problem arises again: I can just put anyone's name right
there, of course.

The current system ensures that you get credit for your work (and it's
machine-parseable credit, so it shows up in your GitHub profile's contribution
history) when someone rebases a commit you wrote, instead of the project
maintainer getting credit.

~~~
lisper
It is also worth noting that this is a marketing page for a commercial
product.

~~~
ryandrake
Good catch! Also look at the submitter’s submission history to HN. Looks like
he’s just pumping this page over and over.

------
mmozeiko
This is nothing github specific. It will work with any git repository. Author
is just a text attached to commit. Anybody can set it to anything.

You don't even need to edit ~/.gitconfig file. Just set GIT_AUTHOR_NAME /
GIT_AUTHOR_EMAIL / GIT_AUTHOR_DATE env variables to anything you want. See
[https://git-scm.com/book/en/v2/Git-Internals-Environment-Var...](https://git-
scm.com/book/en/v2/Git-Internals-Environment-Variables) for more variables.

~~~
infogulch
I found this out when I was migrating code from hg in google code (now
archived) to github. The source commits didn't have valid email addresses so
they didn't work very well with git and github, so I just rewrote them to
something else. There's no special checks that a commit came from the owner of
an email address, and there's no way to prove it did/didn't.

Take commit metadata with a grain of salt.

------
lisper
Note that this is not a selfless public service announcement, it's a marketing
campaign for a commercial product.

~~~
acdha
This is true but on the other hand anyone making a serious effort to fix the
raging dumpster fire which is PGP usability deserves some kudos. Most people
who turn GPG signing on in Git seem to turn it off after hitting one of the
many UX failures.

------
lqet
I don't get it - of course this can be done. The easiest way is to use

git commit --author="Some Name <some@name.org>"

Or commit to the future:

git commit --author="Zager Evans <zager@evans.com>" \--date="Fri Aug 3 14:00
2525 +0000"

There is no fundamental difference between a commit message and the commit
author, its just some meta information attached to the commit. It's up to
whoever is responsible to merge pull requests to check if this commit is
actually coming from the person you think it is. Signed commits are one
option, others would be to send the commit as a patch via mail (also possibly
signed), or to open a pull request as a logged in user on an auxiliary meta-
platform (which is exactly what Github is).

------
eboyjr
Git is cryptographically secure, but it's not foolproof.

However signing a single commit verifies the parent commits (similar to the
blockchain) so it isn't necessary for every commit.

Signing tags and commits is great, but if you decide to use this in your
normal workflow, you’ll have to make sure that everyone on your team
understands how to do so. If you don’t, you’ll end up spending a lot of time
helping people figure out how to rewrite their commits with signed versions.
Make sure you understand GPG and the benefits of signing things before
adopting this as part of your standard workflow.

~~~
rhencke
Git offers the _option_ to sign commits. Git itself makes no guarantees that a
commit's author is who it's listed to be, unless you use signed commits.

Signing a commit does not verify parent commits in the way I think you think
it does. It does give the guarantee of 'These are the commits that are the
basis of my commit', but that is only worth as much as what your signature
actually conveys. Your signature certainly conveys you authored your commit,
but it doesn't guarantee that the parent commit was authored by who was listed
as the author.

~~~
TomK32
I do this for a year now with my gpg key, haven't had a moment where this was
of any use. yet.

------
kbumsik
Git code signing is as easy as adding -S option when making a commit. Why do
we need a thrid-party stuff?

------
agrinman
Hey HN -- one of the creators here. I saw a few people mention this in the
comments and want to re-iterate: this is NOT a bug on GitHub. This is a
feature of Git that GitHub has to support because we often need to push
commits on behalf of other users.

However -- this does illustrate a clear reason why it sometimes makes sense to
PGP-sign your releases/commits.

~~~
geofft
Yeah, I figure you all know that :) I just think calling it "forgery" /
"fraudulent" makes it sound like a Git/GitHub vulnerability. It's a feature
that depends on trust and goodwill, and the fact that trust can be abused
isn't interesting.

For instance, if I wrote "Hey HN, one of the creators here" when I'm not,
people wouldn't call that "HN comment forgery" \- they'd just call it regular
lying.

~~~
EthanHeilman
>It's a feature that depends on trust and goodwill

Such features can be a vulnerability, a vulnerability does not have to be an
accident

>the fact that trust can be abused isn't interesting

As a security researcher it is interesting to me but clearly YMMV

------
guhcampos
This is just propaganda.

The title is misleading, the text itself is sensationalist and over promotting
their own product.

Git authors are simply names associated to commits, it's not supposed to
authenticate anyone, so talking "forgery" is just nonsense.

Any repository owners worried about the authenticity of the commits should
allow only signed commits. This is available in all major git platforms AFAIK.

------
samschooler
This is a remarkable landing page. Fantastic.

1\. Clear problem every developer has (most don't even know !!)

2\. Inform on how to solve the problem

3\. Offer the convenient solution.

Wow.

~~~
geofft
It's also remarkable because it's fear-mongering. It's not a "problem," and
most developers would be mad if they stopped getting credit for their pull
requests in projects using a rebase workflow, which is what their "solution"
would require. (See my other comment for details.)

~~~
EthanHeilman
>It's not a "problem,"

To me it is a problem and I'm glad they are pointing it out. I suspected this
was possible but wasn't sure, now I know for sure.

~~~
lqet
Technically, it is the same "problem" as falsely writing "this proofs P = NP"
into the commit message. It's just free text, you can put whatever you want
there (as long as the email address is formatted correctly, I guess).

Edit: Github actually marks verified commits in their GUI:
[https://help.github.com/assets/images/help/commits/gpg-
signe...](https://help.github.com/assets/images/help/commits/gpg-signed-
commit-verified-without-details.png)

~~~
geofft
I will admit that GitHub formats the commit in a way where it looks like the
commit author may have been verified in some way (because it's linked to a
GitHub account, and approximately no other type of online service permits
posting things from an account without actually being from that account - the
PGP keyservers are the only other one I can think of!), and the content of
commit messages don't look like they're endorsed by GitHub.

I'm not sure if there's an easy way in the UI to demonstrate
unverified/verified, though. Even a small broken-lock icon would imply that
something is _wrong_ when it's not really wrong, it's just common practice for
this to be entirely based on trust.

Perhaps it would help to show the verified identity of the user who pushed the
commit to GitHub alongside the unverified author?

~~~
Boulth
It reminded me of this interesting behavior of keyservers, that is by design
but still surprising - anyone can add UIDs to any key:
[https://bitbucket.org/skskeyserver/sks-
keyserver/issues/41/w...](https://bitbucket.org/skskeyserver/sks-
keyserver/issues/41/web-app-displays-uids-on-keys-that-have)

------
joeblau
Is this working? I just tried it and it generates a commit hash that leads to
a 404 page[1]. I haven't looked into what the code is doing, but for it to
claim that it _stole_ my identity is very misleading.

[1] - [https://github.com/git-
forge/fraudulent/commit/a0a2c80140bae...](https://github.com/git-
forge/fraudulent/commit/a0a2c80140baec889c59c3c4c1caa8165788511d)

~~~
agrinman
It looks like there's some intermittent failure with the high number of
incoming requests -- sorry! Try again and it should work :)

------
thebluehawk
Most git servers have an option to only allow commits to go through if the ssh
key that is pushing the commit matches the SSH key associated with the account
of the "Author" field. Easier to implement than enforcing PGP signing.

~~~
codetrotter
Sounds impractical in the case of GitHub though. If I create a repo, you fork
my repo, I push some commits to mine, then you pull from mine and author some
more commits and then I delete my repo then you can’t push.

------
calebdavenport
This didn't quite work for me since I had my github username changed (caleb-
davenport to calebdavenport) about a year ago. It used my old username
instead.

[https://github.com/git-
forge/fraudulent/commit/f9f2b8b6f2711...](https://github.com/git-
forge/fraudulent/commit/f9f2b8b6f271147fa0ff7968aefc59c2b81a0b3d)

------
jancsika
Not sure how gitlab handles the avatar, but in practice this doesn't matter
_internally_ in a FLOSS project:

"The commit that broke something is attributed to Sojourner Truth. That's you,
right?"

"Yes, that's me."

However, a centralized identity in a global namespace that merely wraps around
arbitrary state entered into a local instance of git instance is not gonna go
good.

------
kbar13
forged commit: [https://github.com/git-
forge/fraudulent/commit/95321ee7b3e25...](https://github.com/git-
forge/fraudulent/commit/95321ee7b3e25f99eadf03f5af7005e4b6c1be3e)

authentic commit:
[https://github.com/bsdlp/packagebot/commit/c7cd115357f51e8e1...](https://github.com/bsdlp/packagebot/commit/c7cd115357f51e8e18daa82d4d497079c93d0cec)

you can use a gpg key to sign your commits and tell github about your public
key so they can add a verified badge in the commit log. really only useful if
github can enforce authenticity when pushing to repos...

------
balls187
Hrm, the commit I created a 404'd commit hash.

~~~
joeblau
Yeah this didn't work for me either. Do you have 2FA enabled?

~~~
balls187
Nope. But, I should. Thx for the reminder.

------
WilliamEdward
Ambiguous title. I read it as "Github, the company, commits forgery."

------
imdsm
Wow.

------
TomK32
Real c0d3rs don't need that, only git-vain [https://github.com/will/git-
vain](https://github.com/will/git-vain)

