前言
Git commit 伪造攻击
https://github.com/aguerrero/Faking-Git-Commits
Git 本身并没有检查是谁提交的commit。 提交者可以在提交时提供author 和email 信息
git commit --author="Linus Torvalds torvalds@linux-foundation.org" -m "Change grade"
这样,就可以在自己的repo 里伪造一个commit, 看起来是Linus Torvalds 提交的。
当然这可能并不能起到什么攻击,因为只能将commit push 到自己的repo 中。
但在github 这种开源环境中, 很容易造成混乱。
Consider the average CS student that will be searching for jobs after graduation. Such a student may be building a portfolio to present to possible employers, but may not have anything on GitHub that catches too much attention. One way to change that could be to fake some commits from some high profile programmers like Linus Torvalds. Having some commits from Linus may get your project some attention and make people assume you are a better programmer than you really are. After all, if your project was bad, there would be no way Linus would have looked at it and contributed in the first place.
Git 本身提供了使用GPG https://en.wikipedia.org/wiki/GNU_Privacy_Guard 来签名的方式。
Github 上提供了非常完善的说明: https://help.github.com/categories/gpg/
配置好后,就可以在Github 上显示为 Verified。
是不是会更酷一点?
如果GPG 的key 对应的email 和commit 的email 不同, github 会把GPG的key 显示为“unverified”。 可以给该
GPGkey 增加 email。 https://www.ahmadnassri.com/blog/github-gpg-keybase-pgp/
GPG 不光可以用户签名git commit, 还可以用来签名邮件,以及加密等。
