On Thu 04 Aug 2016 22:05, Leo Famulari <l...@famulari.name> writes: > On Thu, Aug 04, 2016 at 06:55:34PM +0200, Andy Wingo wrote: >> On Thu 04 Aug 2016 18:44, Leo Famulari <l...@famulari.name> writes: >> >> > How would the rest of us distinguish between >> > >> > 1) a range of your commits with a signed HEAD >> > 2) a range of your commits with a signed HEAD that you pushed after I >> > pushed a commit created with `git commit --author="Andy Wingo" >> >> I'm not sure what the threat model here is, and surely this is mostly >> because I am ignorant :) Would you mind elaborating a bit more? > > I admit, the example is really contrived. > > My point is that, as far as I know, there is no way to know who exactly > is behind an unsigned Git commit. > > The "Author" and "Commit" information seen in `git log --format=full` is > trivially forged, for example by altering the [user] field of your Git > configuration file.
Yeah. I guess I don't see see "author misattribution on unsigned commits" as part of the threat model. My mental model is that if you have a signed commit A with unsigned parents B, C, ..., that it's the person who signed commit A who signs off on commits B, C, and so on. That person attests to the integrity of that range of commits, *including* the author field(s). If you sign a HEAD which brings in an unsigned commit that you (or someone else) forged to use me (say) as --author, it's true, I can claim not to have made it. But that seems a bit irrelevant to any property we care about; dunno... Andy
