GitHub Commit Forgery

There&#x27;s a very good reason Git (and GitHub) permit this: maintaining credit when rebasing or making other minor edits. If you submit some code to me, and I pull --rebase your branch into the project, the resulting commit won&#x27;t be byte-for-byte identical to the one you sent me. At the very least, the parent commit pointer needs to be different, and Git will also update the committer (to myself) and commit timestamp. Since git stores trees, not diffs, the resulting tree will probably be different, and if there are merge conflicts, then the diff itself will also be different from the diff you sent me. If I fix a typo in a comment or something and then incorporate the commit, that will also be different.<p>If Git implemented something with commit signing as a matter of course, this functionality would be broken. I couldn&#x27;t directly attribute the commit to you; it would be signed with my key instead, because your original signature won&#x27;t be valid. I could of course put your name in the commit message, but then the &quot;forgery&quot; problem arises again: I can just put anyone&#x27;s name right there, of course.<p>The current system ensures that you get credit for your work (and it&#x27;s machine-parseable credit, so it shows up in your GitHub profile&#x27;s contribution history) when someone rebases a commit you wrote, instead of the project maintainer getting credit.

This is nothing github specific. It will work with any git repository. Author is just a text attached to commit. Anybody can set it to anything.<p>You don&#x27;t even need to edit ~&#x2F;.gitconfig file. Just set GIT_AUTHOR_NAME &#x2F; GIT_AUTHOR_EMAIL &#x2F; GIT_AUTHOR_DATE env variables to anything you want. See <a href="https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;en&#x2F;v2&#x2F;Git-Internals-Environment-Variables" rel="nofollow">https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;en&#x2F;v2&#x2F;Git-Internals-Environment-Var...</a> for more variables.

Note that this is not a selfless public service announcement, it&#x27;s a marketing campaign for a commercial product.

I don&#x27;t get it - of course this can be done. The easiest way is to use<p>git commit --author=&quot;Some Name &lt;some@name.org&gt;&quot;<p>Or commit to the future:<p>git commit --author=&quot;Zager Evans &lt;zager@evans.com&gt;&quot; --date=&quot;Fri Aug 3 14:00 2525 +0000&quot;<p>There is no fundamental difference between a commit message and the commit author, its just some meta information attached to the commit. It&#x27;s up to whoever is responsible to merge pull requests to check if this commit is actually coming from the person you think it is. Signed commits are one option, others would be to send the commit as a patch via mail (also possibly signed), or to open a pull request as a logged in user on an auxiliary meta-platform (which is exactly what Github is).

Git is cryptographically secure, but it&#x27;s not foolproof.<p>However signing a single commit verifies the parent commits (similar to the blockchain) so it isn&#x27;t necessary for every commit.<p>Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so. If you don’t, you’ll end up spending a lot of time helping people figure out how to rewrite their commits with signed versions. Make sure you understand GPG and the benefits of signing things before adopting this as part of your standard workflow.

Git code signing is as easy as adding -S option when making a commit. Why do we need a thrid-party stuff?

Hey HN -- one of the creators here. I saw a few people mention this in the comments and want to re-iterate: this is NOT a bug on GitHub. This is a feature of Git that GitHub has to support because we often need to push commits on behalf of other users.<p>However -- this does illustrate a clear reason why it sometimes makes sense to PGP-sign your releases&#x2F;commits.

This is just propaganda.<p>The title is misleading, the text itself is sensationalist and over promotting their own product.<p>Git authors are simply names associated to commits, it&#x27;s not supposed to authenticate anyone, so talking &quot;forgery&quot; is just nonsense.<p>Any repository owners worried about the authenticity of the commits should allow only signed commits. This is available in all major git platforms AFAIK.

This is a remarkable landing page. Fantastic.<p>1. Clear problem every developer has (most don&#x27;t even know !!)<p>2. Inform on how to solve the problem<p>3. Offer the convenient solution.<p>Wow.

Is this working? I just tried it and it generates a commit hash that leads to a 404 page[1]. I haven&#x27;t looked into what the code is doing, but for it to claim that it <i>stole</i> my identity is very misleading.<p>[1] - <a href="https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;a0a2c80140baec889c59c3c4c1caa8165788511d" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;a0a2c80140bae...</a>

Most git servers have an option to only allow commits to go through if the ssh key that is pushing the commit matches the SSH key associated with the account of the &quot;Author&quot; field. Easier to implement than enforcing PGP signing.

This didn&#x27;t quite work for me since I had my github username changed (caleb-davenport to calebdavenport) about a year ago. It used my old username instead.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;f9f2b8b6f271147fa0ff7968aefc59c2b81a0b3d" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;f9f2b8b6f2711...</a>

Not sure how gitlab handles the avatar, but in practice this doesn&#x27;t matter <i>internally</i> in a FLOSS project:<p>&quot;The commit that broke something is attributed to Sojourner Truth. That&#x27;s you, right?&quot;<p>&quot;Yes, that&#x27;s me.&quot;<p>However, a centralized identity in a global namespace that merely wraps around arbitrary state entered into a local instance of git instance is not gonna go good.

forged commit: <a href="https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;95321ee7b3e25f99eadf03f5af7005e4b6c1be3e" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;git-forge&#x2F;fraudulent&#x2F;commit&#x2F;95321ee7b3e25...</a><p>authentic commit: <a href="https:&#x2F;&#x2F;github.com&#x2F;bsdlp&#x2F;packagebot&#x2F;commit&#x2F;c7cd115357f51e8e18daa82d4d497079c93d0cec" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;bsdlp&#x2F;packagebot&#x2F;commit&#x2F;c7cd115357f51e8e1...</a><p>you can use a gpg key to sign your commits and tell github about your public key so they can add a verified badge in the commit log. really only useful if github can enforce authenticity when pushing to repos...

Hrm, the commit I created a 404&#x27;d commit hash.

Ambiguous title. I read it as &quot;Github, the company, commits forgery.&quot;

Wow.

Real c0d3rs don&#x27;t need that, only git-vain <a href="https:&#x2F;&#x2F;github.com&#x2F;will&#x2F;git-vain" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;will&#x2F;git-vain</a>