Cookie Consent by Free Privacy Policy Generator 📌 Why, and not only how, signing your commits


✅ Why, and not only how, signing your commits


💡 Newskategorie: Programmierung
🔗 Quelle: dev.to

I like explaining things. I love the following proverb

Give a Man a Fish, and You Feed Him for a Day. Teach a Man To Fish, and You Feed Him for a Lifetime.

Let's talk about something that is often barely explained.

For anyone who started using git, you may have found the classic tutorial that starts with:

git config --global user.email [email protected]

Then the fun begins in the tutorial.

There is an issue with these tutorials. They don't explain what is behind the hood.

So there is a email to set up. Why? Because an email is somehow a unique identifier. So [email protected] is not [email protected]

But there is big catch, it's a simple a label. Think about it now: Did you see anything in these tutorials about email verification process? No !

So it's a label, which means that at any time [email protected] can send commits labeled as if they were written by [email protected] by using git config user.email [email protected]

Why is that possible? Because git is a tool. There is no authority behind it. git is not GitHub.

Which means that anytime an attacker could pretend to send commits for review as a maintainer of a library, and someone else will approve the changes. And here you create a security breach.

The situation is critical. That's why there is a way to secure your commits, in fact it doesn't secure the content of the commits (it does also, but that's another story) but it identifies the author as the legitimate ones.

This is what is called a signature.

There is only one way to do that. It's to refer to an authority.

Here are the main ways to get identified by these authorities

  • GPG signing + gpg public severs
  • SSH signing + git hosting provider

Both of them provide you a private and public key pair that will be used for identifying the committer is the owner of the key, and by extension the owner of the email, so his identity. The owner will sign the commits with his private key, and its public key will be public. The system is asymmetric. Only the owner has the private key, but everyone can check the commits were signed with it by using the public key.

GPG signing is supposed to be more secure, but it requires to understand things such as gpg, armor, private, expiration, revocational. GPG servers are public and interconnected, they replicate each other, it's part of the authority mechanismsm.

The second one is using SSH keys, plus a git hosting provider (GitHub, GitLab …). It's easy to generate SSH keys. Then these git hosting provider are using accounts. Each account is linked to an email, you use this email as an identifier plus a login. The website validates your email with a "verify email" mechanism once.

These platforms allow you to link the public key with an account. So one account owns SSH or GPG public key. And because these platform already validated your email with a verification link, it becomes an authority, and why you get the "verified" badge by signing your commits.

The verified bage is not for ego, it's for security. But you can be proud of having a verified badge because security of these others matters to you.

Here is a tutorial I wrote about signing your commit with SSH:

...

✅ Why, and not only how, signing your commits


📈 52.96 Punkte

✅ [OC]Linux kernel commits as of 5.7-rc1 by author's email domain name,for domains with >= 5000 commits.


📈 31.5 Punkte

✅ [OC]Linux kernel commits as of 5.7-rc1 by author's email domain name,for domains with >= 5000 commits.


📈 31.5 Punkte

✅ Git Squash Commits – Squashing the Last N Commits into One Commit


📈 31.5 Punkte

✅ Code-Signing-Zertifikate: Was ist Code Signing?


📈 29.15 Punkte

✅ Code-Signing-Zertifikate: Was ist Code Signing?


📈 29.15 Punkte

✅ Microsoft Trusted Signing service (formerly Azure Code Signing) is finally available in public preview


📈 29.15 Punkte

✅ Trusted Signing (Azure Code Signing) in Public Preview


📈 29.15 Punkte

✅ Electron Code Signing: Using SSL.com codeSignTool for EV code signing


📈 29.15 Punkte

✅ Apple Only Commits to Patching Latest OS Version


📈 23.52 Punkte

✅ The Power of Atomic Commits in Git: How and Why to Do It


📈 22.45 Punkte

✅ Why is my Cron job not running? Rather, why is it running and not behaving itself?


📈 21.93 Punkte

✅ Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks


📈 20.42 Punkte

✅ Why isn't Amazon.com signing their emails?


📈 19.74 Punkte

✅ Why Android Developers Need Code Signing Certificate To Secure Mobile Applications?


📈 19.74 Punkte

✅ The Top 5 Document Signing Solutions to look for in 2024: Why OpenSign™ Stands Out


📈 19.74 Punkte

✅ Is there a reason some organisations do not provide signing keys for verifying ISOs?


📈 19.6 Punkte

✅ Signing Certificate is Not Valid – Security Token Service Certificate Issue in vSphere


📈 19.6 Punkte

✅ Bring Your Own Token to Replace the Traditional Smartcards for Strong Authentication and Signing


📈 19.24 Punkte

✅ Enhance your git log with conventional commits


📈 18.89 Punkte

✅ Enhance your git log with conventional commits


📈 18.89 Punkte

✅ Git: The complete guide to sign your commits with an ssh key


📈 18.89 Punkte

✅ Git commit helper: add emojis to your commits


📈 18.89 Punkte











matomo

Datei nicht gefunden!