💾 Archived View for tilde.team › ~nosnow › posts › why-sign-commits captured on 2023-01-29 at 04:33:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Monday, August 1, 2022 · 3 minute read
Why should you sign your commits?
______________________________________________________________________
I recently read this article \[0\] by Alessandro Segala about why I should sign
my commits. And I completely agree with, and would like to expand upon, their
work.
Identify theft is not a joke \[1\].
The FTC in their 2021 edition of the CSN Annual Data Book \[2\] reported that
there were 1,434,676 reports of identity fraud in 2021 This theft allows the
perpetrator to commit acts of fraud in your name while reaping the benefits. As
developers, we not only have to protect our real world identities from theft,
but our digital ones as well. And while it is important to have strong and
secure passwords, I'm not referring to your accounts as digital identities. I'm
instead talking about your contributions to open source projects.
This article focusses around `git` \[3\] and online version control systems
(VCSs) that implement `git` as their backend.
It is not only possible, but increadibly easy to sign a commit under a different
identity. In addition, online VCSs will read the `git` commit history and per
commit, add the appropriate account information to the commit (assuming an
account exists with the email address that is attached ot the `git` repository).
This feature, is meant to provide a user friendly way of viewing `git` commits.
However, it also allows for an attacker to take advantage of these tools and
publish commits to a project under someone else's identity.
The biggest threat to a developer who doesn't sign their commits is the lack of
trust a community can have for a particular developer.
A malicious attacker who signs off on infected, poorly written, or malformed
commits and publishes to a project can ruin a developer's relationship to a
community.
A malicious attacker could publish commits that actively ruin existing features.
They could also introduce bugs into a repository under someone's name.
To combat this, `git` allows for individuals to sign their commits with a GPG
\[4\] key.
This allows for a number of benefits:
1. Commits in the `git` history that are signed have metadata attached to them
saying that they're signed.
2. If the GPG key is published to an online VCS that supports this feature, a
*verified* tag will be applied to commits that are signed and match a user's
GPG key.
3. Developer identity can be confirmed by running checks against the public
facing key of a commit and a developer's private key.
Since reading \[0\], I have implemented commit signing for my project going
forward. I also now require all group projects to have signed commits prior to
acceptance.
Setting up signed commits was trivial, and there were plenty of guides \[0\]
\[5\] \[6\] on how to do so.
I strongly encourage all developers to sign their commits in order to improve
the verification of work done by legitimate developers, instead of allowing the
work of theives to perforate throughout our community.
______________________________________________________________________
0. https://withblue.ink/2020/05/17/how-and-why-to-sign-git-commits.html
1. https://tinyurl.com/yjbxpajr
2. https://www.ftc.gov/system/files/ftc_gov/pdf/CSN%20Annual%20Data%20Book%202021%20Final%20PDF.pdf
4. https://huggingface.co/docs/hub/security-gpg
5. https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits