DEV Community

Spoof a commit on GitHub. From Anyone.

Alex Grinman on August 02, 2018

Did you know that anyone can commit as you on GitHub? If you don't believe me, just browse through this repository's forged commits or use our to...
Collapse
 
phlash profile image
Phil Ashby

[full disclosure - I work for an identity intelligence company!]

Thanks for the head up Alex, although I would question the use of Github accounts as a source of trusted identity (suggested by other comments below via Github's help pages). These are likely to be trivially forge-able too.

Git's support for GPG keys to strengthen the trust in a commit is based on the assumption that the committer already owns a trusted GPG identity (where the trust is obtained through other parties attesting to their identity / key signing, in the usual GPG way).

Where this isn't possible, it may be better to look at federation with trusted identity providers, such as those who assure IDs for banks, governments, etc. Depends what the value of that commit is I guess!

Collapse
 
ferricoxide profile image
Thomas H Jones II

Several months back, I was setting up a new project on GitHub. As I was configuring my protected branches, I noticed a checkbox for "Require signed commits". I'm one of those obsessive box-checker freaks. So, when I noticed this new box, I clicked on the link to see what it was about and how to make it so I could check the box. Been signing commits ever since then (and Slack-shaming teammates whose commits don't have the green Verified box).

Collapse
 
adityavarma1234 profile image
Aditya Varma

Why is the repository disabled? github.com/git-forge/fraudulent

Collapse
 
agrinman profile image
Alex Grinman

It's unfortunate -- I guess GitHub decided it was against their ToS. I don't agree personally, and we made it very clear that spoof.krypt.co was a demonstration, but we must respect their decision (and ability) to do this :/

Collapse
 
jfinstrom profile image
James Finstrom

itsafeature 😁

I work for a major open source project and commit patches from other developers. It is their code they get credit. Committing to your repos should generally be restricted anyway. Some places use signed commits as a form of CLA bit over all this is a necessary thing.

Collapse
 
crawlingcity profile image
crawlingcity

This works on bitbucket too, had a coworker commiting as myself for a while because my name and email was somehow configured inside a docker container

Collapse
 
jrtibbetts profile image
Jason R Tibbetts • Edited

Can you use this method to spoof a user with more permissions than you normally have, such as someone with PR merge permission?

(Asking for a friend. ;))

Collapse
 
mgh87 profile image
Martin Huter

Thanks for spreading the word on signing git commits.

Know all of it, but still enjoyed reading.

Collapse
 
rhymes profile image
rhymes

Didn't know! Thanks!

Is this the solution? help.github.com/articles/signing-c...

Collapse
 
agrinman profile image
Alex Grinman

Yep!

Collapse
 
ankurk91 profile image
Ankur K

Here is how to setup GPG for Github-

gist.github.com/ankurk91/c4f0e23d7...

Collapse
 
leob profile image
leob

Awesome, didn't realize this!

Collapse
 
qm3ster profile image
Mihail Malo

The repo is down :(