Cryptography git commits

-

Git is an industry-standard version control tool used in IT fields, so it has a mandatory tool and a skill to learn for developers.

During the development stage, developers make hundreds / thousands of commits. However, it is not difficult to find unverified commits, although it would be related to security flaws and potentially impacts the vulnerability of projects.

This article will mainly focus on the importance of the signing(verified) commits. As well, there is one practice on how to pretend someone else in Git repositories.

-

Table of Contents

1. Brief about SSH key
2. GPG key
3. An example of a security flaw without using GPG key
4. How to setup GPG key
5. How to create signing commits
6. Final thoughts

-

Brief about SSH

First of all, I would assume that you have already set up SSH-key on your machine to authenticate to Github and have it registered with your Github account. If not, please read Connecting to GitHub with SSH and follow the steps.

Setting up SSH-key means that you do not have to provide your Github username or password for all of your git activity. That is the main reason to set up an SSH-key. Does connecting to Github with an SSH-key mean all of your commits become secure? We will dig into this and talk more about the disadvantages of only using an SSH-key later in this article.

-

Then, what is GPG key?

Gnu Privacy Guard(GPG) is a tool that allows users to integrate an additional security layer easily with other applications. In this case, it will be Git.

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Since its introduction in 1997, GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License .

The current version of GnuPG is 2.2.17. See the download page for other maintained versions.

Gpg4win is a Windows version of GnuPG featuring a context menu tool, a crypto manager, and an Outlook plugin to send and receive standard PGP/MIME mails. The current version of Gpg4win is 3.1.10.

-

What could happen if you do not use GPG key?

One very common severe issue is that someone can set up other developers' Github username and email in their local machine, and create commits which will appear as "the someone else"' commits in the Git repository. Of course, this activity needs to meet a certain condition. The command below shows how to set up a different Github username and email within your terminal.

-

// setup username and email
$ git config --global user.name "No GPG"
$ git config --global user.email no.gpg@email.com

// verity username and email
$ git config --global user.name
> No GPG
$ git config --global user.email
> no.gpg@email.com

Here I want to share with you an example of two different commits that I pushed in a test Git repository(signing commit).

When I created this git repository, I made the initial push with a signed(verified) commit.

And then, I asked a friend of mine (@alemesa ) to follow the practice above and gave him my Github username and email. (These credentials for signing in can be found with very little effort.) He created a commit and pushed to the master branch. Check out the results below.

The commit has appeared that it was created by me. However, there is no "verified" flag like the first initial commit.

If master branch is not protected like the testing Git repository, then anyone in the contributor list can push any code by pretending to be someone else. Please find details about how to protect branches here.

NOTE: If you want to test this activity, please send me a direct message that includes your Github username. I will add you into the collaborator list.

-

How to setup GPG key

The references will guide you on how to setup GPG key in your workstation, and how to add them into your Github account.

• Setup GPG key Github
• Sign your commits on Github with GPG

-

How to create signing commit(s)

Add file(s) before creating a commit:

// add a single file
$ git add [path file]

// add all file
$ git add .

The git command below is how to create a commit with or without your signature:

// create commit with a message without signing
$ git commit -m "commit message"

// add all file that you want to commit
$ git commit -S -m "commit message"

Once your signing commit(s) is created, the next step is to push to a git repo:

// push the commit
$ git push 

The screenshot below is an example of git signing commit in the test git repository(signing commit)

-

Conclusion

To sum this article up, using GPG-key will increase security and authenticity level by encrypting its data, and adding a person's signature. If you or your organization have considered these, the steps above will bring its advantages and ensure trust with your commit workflow.

NOTE: this activity may not be suitable for all case. Please make sure using this for the right purpose.

-

References

• Gnu PG

• Telling Git about your signing key

• What are the advantages and disadvantages of cryptographically signing commits and tags in Git?

• Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?

• How to create signing commits

• Setup gpg-key within SourceTree

• GnuPG manual

-

Collaborators

• Alejandro Mesa (@alemesa) - alejandro.suarez@jam3.com
• Danny Paton - danny.paton@jam3.com