Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Git: Is it possible to fake the signing date of a tag?

Tags:

git

security

gnupg

As a scientist I would like to keep some official record of the time I check something into my Git repository. This in order to later back up claims of who invented what first during for instance patent disputes.

At the moment I from time to time add a tag to my repository like so:

git tag -s -m "`date`" 2012-08-20

and push the tags to the central server:

git push --tags

Pulling up a tag shows the date I signed it with my key:

git tag -v 2012-08-20
object 2d6f6035270e8e44c035431e99be8da3fccee095
type commit
tag 2012-08-20
tagger My Full Name <name@institution> 1345466433 +0200

Mon Aug 20 14:40:33 CEST 2012
gpg: Signature made Mon Aug 20 14:40:37 2012 CEST using RSA key ID somekey
gpg: Good signature from "My Full Name <name@institution>"
gpg:                 aka "My Full Name <personal-email>"

My question is how secure these dates are? Is it possible tamper with them later on?

EDIT: to clarify a but further, I wish to be able to prove that it would be very unlikely that I tampered with the tags later on.

like image 708
Marijn van Vliet Avatar asked Aug 20 '12 12:08

Marijn van Vliet

2 Answers

What Git guarantees is: If the date (or the rest of the tag, or the commits attached to it etc.) are altered, the SHA1 of the tag will change.

However, to make this useful, you must somehow prove what the original SHA1 tag was, and that you already had it at the claimed date of invention.

Otherwise, to fraudulently claim that you invented something in January 1980, you could just rewind your computer's date to 1980 and create the repository with the necessary commits, tags and all - git would not know, as it can only believe what the system clock tells it.

So if you want to prove that you invented/wrote something prior to some date in the past, git (alone) cannot help you, nor can any form of signing alone. What you need is Trusted timestamping. There are various different schemes, but all require one or more third parties that essentially vouch for the correctness of the timestamp.

like image 111
sleske Avatar answered Sep 26 '22 17:09

sleske

What you want is a certified timestamp as described by Ryan J in this recent thread How can I use RFC3161 (trusted) timestamps to prove the age of commits in my Git repository?

This appears to be a certified, verified way of recording the sha1 of the relevant tip commit.

like image 32
Philip Oakley Avatar answered Sep 24 '22 17:09

Philip Oakley
Sign in to Comment

Related questions

Git clone from bash script
How select a file from one branch when resolving conflict during git rebase?
Perforce branching vs git branching
Error while loading project: Attribute Include is unrecognized
How does Git know that file was renamed? [duplicate]
Heroku installation error in windows
Only push current branch in SourceTree
Using GIT_SSH_COMMAND in Git for Windows
How to check post buffer size before clone git repository?
Switch node_modules folder when I change git branch
How do I reset the working tree without moving HEAD?
Github actions actions/checkout@v2 lfs: true flag not converting pointers to actual files
Bundler: `bundle package` with a :git source
Is there a tool to watch a remote Git repository on Ubuntu and do popup notifications when commits are made?
difficulty in importing the facebook-android-sdk into eclipse
fatal: remote part of refspec is not a valid name in :capabilities^{}
Are there issues with putting a "/" in a git tag name to create hierarchical/nested tags?
Why is Git rejecting my pull simply because I have a commit on my local branch?
Visual Studio gitignore and mdf, ldf files
Git push fails with "fatal: early EOF" when PUSHing but only on one file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!