More than 3 years have passed since last update.

Prevent user spoofing by requiring signed commits.

Posted at

It is easy to pretend to be another user in git, you simply need to have their displayed user name and email address. There are much better articles out there regarding git user spoofing such as this and this so I shall spare you the details.

Instead, let's talk about how we can prevent this using a simple tool called GnuPG. It can be easily installed using Homebrew using brew install gnupg. GitHub provides a nice set of instructions for how to generate a GPG key and adding it to your account, so I shall skip that as well.

I'm simply here to show you what happens when someone spoofs another user's credentials and makes malicious commits.

スクリーンショット 2018-12-10 14.39.56.png

See the Verified and Unverified flags?
You can easily prove your own commits simply by adding a set of GPG keys into your account.

What about if we go one step further and require all commits to be signed?


And now we make another malicious edit and attempt to push again!

スクリーンショット 2018-12-10 15.08.22.png

スクリーンショット 2018-12-10 15.00.36.png

Your million dollar git repository is now safe from user spoofing just from two easy and simple steps.

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up