Spoofing git commits to change history

Once you have write access to a git repository, it is child’s play to spoof commits pretending to be someone else. Here’s a step-by-step on how to do it and how to protect against it.

Image for post
Image for post

Let’s play

git config --global user.email "f4k3usr--REDACTED--"
git config --global user.name "f4k3usr"
git log
Image for post
Image for post

spoofing a commit (the wrong way)

# amend README.md
echo $'\nPotentially malicious changes 1.' >> README.md
# stage changes
git add .
# commit using details of target user
git commit --author="Paulo Gomes <paulo--REDACTED-->" -m "Add spoof attempt 1"

spoofing a commit properly

# amend README.md
echo $'\nNew line by f4k3usr pretending to be someone else.' >> README.md
# stage changes
git add .
# ensure all account details are linked to the account you are spoofing
git config --global user.email "paulo--REDACTED--"
git config --global user.name "Paulo Gomes"
# commit using details of target user
git commit -m "Add spoof attempt 2"

Add a legit commit

# reset to original settings
git config --global user.email "f4k3usr--REDACTED--"
git config --global user.name "f4k3usr"
# amend README.md
echo $'\nLegit f4k3usr changes.' >> README.md
# stage changes
git add .
# commit using details of target user
git commit -m "Add legit commit"

Did it work?

Image for post
Image for post
Image for post
Image for post

What can you do about it?

Creating a GPG key

Image for post
Image for post
---BEGIN PGP PUBLIC KEY BLOCK---
mQINBFpHkdjsuaihhiduhUDSHAIdyA&DTSAYDFYASUDUJDHSAKHDJAHDKAHSDJKAHDJKAHJKDHAkDHKL61qVi9+Mh+1bUU6xJ3IZWMYLdF9xKs3kmfFp…
---END PGP PUBLIC KEY BLOCK---

Add GPG Key to Github Account

Image for post
Image for post

Start signing commits

git commit -S -m "My commit message."
git config --global commit.gpgsign true

What if I have multiple GPG keys?

Image for post
Image for post
git config --global user.signingkey 00D026C4

Spotting the difference

Image for post
Image for post
git log --show-signature -1
Image for post
Image for post

Final thoughts…

Written by

Software craftsman on the eternal learning path towards (hopefully) mastery. Security enthusiast keen on SecDevOps. My opinions are my own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store