Git mark commit somewhere in history

Question

Git mark commit somewhere in history

In some parts of the Internet (for example, here ) it is understood that git commit must be signed at runtime or never.

However, technically, the signature on the commit is nothing more than the signature of the commit object (as shown here ), which consists of a hash of the "tree" file (this is a list of hashes of git objects), a hash of the parent, and some metadata.

As a result, it seems that nothing prevents the fixation of a posterior subscription without rewriting the whole story.

Is this really possible? Is there a recommended way to do this? Will such a signature after the fact work with shocks and pulls?

+4

git version-control sign git-sign

Ekleog Nov 29 '15 at 2:52

source share

2 answers

git SHA-1-. , .

, , , . , - git show , ref ref. , , , , .

. , , - .

+1

mgarciaisaia 29 . '15 4:06

Dan Lowe · Accepted Answer · 2015-11-29T03:49:29+0000

I do not believe that you can do this without rewriting the story. I just cloned the same repository twice to run the test. I made the same change in both repositories and then committed it with the same journal message ("foobar"), with the only difference being that it was signed and the other not.

# unsigned test
parent 50c6dd65f1d7a240cf6b5c9585ce363ef4708d1e
new    b3ff731922f80a417b84ed492537c1f7ba74715e

# signed test
parent 50c6dd65f1d7a240cf6b5c9585ce363ef4708d1e
new    688b3be2e55558c45b00b6a6c02086a03768e02d

As you can see, starting with the same parent (50c6dd65), the result is two different commit hashes. Thus, for undefined commits, this is no different from any other rewriting of history (and therefore carries the same obligations).

In response to your comment asking if the hash has changed just because of the difference in timestamps, I don't believe that. If you check with cat-file:

$ git cat-file -p 688b3be2e55558c45b00b6a6c02086a03768e02d
tree 074e53e54670dea3502229e9494f3d571f5dcc16
parent 50c6dd65f1d7a240cf6b5c9585ce363ef4708d1e
author Dan Lowe <dan@XXXXXXXX.com> 1448768563 -0500
committer Dan Lowe <dan@XXXXXXXX.com> 1448768563 -0500
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1

 iQEVAwUAVlp0N1rGfrtJ2k+kAQIbYQf7BLx3/jqU/vwvoJOcbq5MPK0ok7B8mOaF
 VWhNCbAeOBMzXdrn8IQxY2xYcPsy+d6pNx6ZOF70L3VZm6rWFxNzZQRrjS4ByOAM
 VyoL8bXceMcrb/sQUHM5yTCaDcfoYx40K0q91XsGew2EIzNKcOraK1Ee4hEtPg1D
 ojyPVjiWz2qMJJ0YYAATSvWwlKFO2ShTC6tGZDHrx0e6BAEN5QS4KdGhNech/vpU
 IPFDjIKWtGPTbYY8Z95vKLAMYWPZDJ8j/x1gRytN8PDjRufRtpRnZMccB6JQoXNZ
 5L23WQFfUFeXRdWf0MtkrbrSwzuaaIF8l1oGYnEtYT6nOIktPT47Fw==
 =/U9b
 -----END PGP SIGNATURE-----

foobar

, -, . , gpgsig , , .

Git mark commit somewhere in history

More articles: