On 02/04/2024 18:27, Ilija Tovilo wrote:
If your GitHub account is compromised,
[...] the attacker may simply register their
own gpg key in your account, with the commits appearing as verified.
If your ssh key is compromised instead, and you use ssh to sign your
commits, the attacker may sign their malicious commits with that same
key they may use to push.
The key point (pun not intended) is that git doesn't record who pushed a
commit - pushing is just data synchronization, not part of the history.
What it records is who "authored" the commit, and by default that's just
plain text; so if somebody compromises an SSH key or access token
authorised to your GitHub account, they can push commits "authored by"
Derick, or Nikita, or Bill Gates, and there is no way to tell them apart
from the real thing.
In fact, you don't need to compromise anybody's key: you could socially
engineer a situation where you have push access to the repository, or
break the security in some other way. As I understand it, this is
exactly what happened 3 years ago: someone gained direct write access to
the git.php.net server, and added commits "authored by" Nikita and
others to the history in the repository.
If all commits are signed, a compromised key or account can only be used
to sign commits with that specific identity: your GitHub account can't
be used to sign commits as Derick or Nikita, only as you. The impact is
limited to one identity, not the integrity of the entire repository.
Regards,
--
Rowan Tommins
[IMSoP]