Masquerading as a github.com user

Question

After using git bash to commit to repositories on github.com for a little while, I discovered some interesting behaviour.

I am able to set an email address in my local repo to anything I like, using the git config command...

git config user.email "MyColleague@work.com"

After doing so with his github.com email address, all commits I make appear under his profile, along with his inferred username and profile picture!

I am authenticating with github.com using my stored credentials, yet I am able to masquerade as him.

My two questions are: -

Why is the possible and is it by design?

How can I see the authentication/user account details for the actual push over https, rather than the commit?

Answer 1

This is possible because of how git is designed, not GitHub. You're authenticating in order to access the repository. As someone with write access you may push commits to the repository. GitHub doesn't have any way to authenticate the commits themselves. You might have merged them from other users. You're not saying "these are my commits" when you push. You're saying "these are commits to add to the repository, and I'm authorized to add commits to the repository."

In fact, this is exactly how a pull request works. You send me commits, and I approve adding them to (pulling them into) the repository. The commits still have your name on them as the author, because you created them. But I'm using my authorization (and credentials) to add them. I'm not masquerading as you when I do that.

There is no tracking of who pushed each commit to the upstream. That's not stored anywhere. It is assumed that the person with push access is vouching for the commits.

There is a stronger authentication mechanism in Git, and that's the signed tag. If you want to validate that you are the person who attached a given tag to a given commit, then you can sign it. This still doesn't prove that the so called "author" of the commit is valid. It's just proves that you're the one who signed it.

Joe Phillips notes below that you can now sign individual commits. If you add -S to the commit command, you'll get this. You can also now verify signatures when using merge or pull. If your entire team makes use of this, you can likely get the level of authentication you're looking for.

(Remember in all of this that in git, a "commit" is all of the code in the repository at a given point. It's not just the changes you made. This sometimes is a point of confusion, so it's just worth keeping in the back of your mind at all times.)

Answer 2

This is the intended behavior, but it's not what it looks like.

When you set the email in your .gitconfig, you're not making any claim about GitHub credentials. All you're setting is the value that should be used in the "Author" field for any new commits you create. You can even manually set this for a commit by using the --author flag to the git commit command.

When you push to the remote repository, it is using your GitHub credentials - so you still can only write to repositories where you have the correct permissions.

To sum up: You're not really impersonating your coworker, all the changes are still made via your credentials. All you are doing is is recording a different value for a single data field of the commit.

---

For more GitHub specific information, you should take a look at this help article: https://github.community/t5/Support-Protips/Why-is-my-commit-associated-with-the-wrong-person/ba-p/6728

GitHub even has a published series of steps of fixing issues like this: https://help.github.com/en/articles/changing-author-info