Reputation: 1621
Enforce authenticated usernames with git commits (Gitlab in this case)
We host a private gitlab repo, but I believe this is an overall git question since I've seen this behavior before.
Let's say my REAL gitlab / github / etc account details are as follows:
Username: emmdee
User Email: [email protected]
So I go to some server and clone a repo, make some changes and I'm ready to commit.
If I set the username and email locally:
git config user.name "Someone Else"
git config user.email "[email protected]"
When I push a commit into the server, the above username/email is added as the commit author.
The "Someone Else" is shown as the author regardless of the fact that I needed to enter my real credentials to authenticate the push (either ssh key or user/pass).
Problem scenario case:
Team of 30 devs, maybe even some external vendors. Someone pushes some questionable code but has "spoofed" their username/email as shown above. How can I track down the actual author that made the push? (They had to have authenticated during the push action)
Questions:
- Is there a specific reason for this behavior that I'm not understanding the purpose of?
- Is there a way to view the original commit author (since they authenticated during the push either with user/pass or ssh key)
- Is there a way to disable this server-side and enforce real info to be used (or best case - just automatically use the account info used to authenticate the push)
Upvotes: 2
Views: 806
Answers (2)
Reputation: 1879
You should sign your commits with your GPG key. This way, people can trust that only you can have made a specific commit, provided they trust your public key.
In your case, you can have everyone create a pair of GPG keys with their real information (name + email), and you make sure that your get their public key securely. You can then verify their commits using their public key.
Upvotes: 1
Reputation: 1324657
Is there a specific reason for this behavior that I'm not understanding the purpose of?
Git is a distributed source control system: it does not have access to a "real userbase referential" common to everywhere you can do a commit: so the user.name/email are just string that you setup.
As such, the authentication part (when pushing for instance) has nothing to do with the commit authorship part.
If you have "spoofing" concern, then you can at least enforce accepting only signed commits (see "Is there a way to “autosign” commits in Git with a GPG key?"): that would associate to the commit an information which proves its origin.
Upvotes: 2
Related Questions
- Identifying a user from their commit using a Personal Access Token in GitLab
- git asking for user credentials (Gitlab)
- How to enforce author/commiter authentication in git?
- Can Gitlab/Gitolite enforce correct username/email
- Git: enforce authentication and disable "unknown" committer
- GitLab only user password authentication (no SSH)
- Authenticating users in git repository
- GitLab Configuration for Local Users
- How to ensure commit author
- Stop users committing to git as wrong user