PROPOSAL: require mandatory GPG sign for every commits (or collaborators)

[phra]

Hi,

I propose to increase the security of this repository requiring a GPG sign verification for every commits, à la Linux kernel.

Of course, it can be a bit intimidating for new committers, but NodeJS is a very popular JavaScript runtime and we should try to implement the maximum level of security available to prevent any tampering with it.

As a fallback, I suggest at least to require the GPG sign for every stable collaborator.

What do you think about it guys?

[tniessen]

No strong opinion on this, just some thoughts:

• Collaborators use 2FA on GitHub, so the only way for a third party to push to this repository (that I know of) is by somehow retrieving one of the personal access tokens.
• Signing every commit does not enhance security further than signing the last commit of each change set from a single author.
• Having contributors sign commits does not really add anything either as those are being reviewed manually (so we don't really care who pushed the changes, we just care about the contents) and the signatures cannot be copied to the master branch due to rebasing.

[Fishrock123]

I'm not really certain this would do any good, and it would probably be lost through our branch management anyways.

I'd be ok with having this be for releasers doing releases though, including myself.

[phra]

The main benefit is to prevent that someone can push a commit with an arbitrary user.name and user.email in their .gitconfig without having a proof that proves the identity is correct, that is the non-repudation property.

As you can see on this repository you have both started to contribute to my brand new repository: https://github.com/phra/git-author-commit/commits/master
Only the latest commit can be trusted because it's GPG signed.

Just my two cents.

[tniessen]

Collaborators and contributors are free to sign commits as they like at the moment. Don't get me wrong, signing commits does add to security and I approve doing so, but I don't see much value in enforcing this behavior at the moment.

As you can see on this repository you have both started to contribute to my brand new repository:

And signing my commits in this repository would not have prevented that.
The problem with GPG signatures is that you can say "yes, that's mine", but not "nope, that's not mine". You could still push unsigned commits with my email address and name, they just won't have the green badge.
(By the way, I would be careful with that, depending on your country of residence, online impersonation and/or resulting harm for those who have been impersonated can be considered a federal crime.)

Sure, it is a valid point that having all contributors sign all commits would allow us to be certain that they are indeed the author of the commit, but as long as we require all changes to be proposed via PRs which we manually review, we know who actually pushed the code. (And if you want to make some great contributions and put my name under them, please, go ahead.)

[bnoordhuis]

Furthermore, we accept (and have collaborators that submit) anonymous and pseudonymous contributions. Mandating GPG signing doesn't full-out prohibit that but it makes the barrier to entry much higher.

[phra]

Ok, I'm already positive towards the fact that you can see the security benefits of GPG signed commits besides the existing protections, that was my goal actually. 🙂

Just keep in mind that the same attack that I've done on my own repository impersonating you can be replicated by anyone that has write permission on the Node.js repository itself and GPG signs can effectively prevent that. 🙂

You are free to close the ticket.

[tniessen]

Personally, I would be okay with requiring people with write access to this repository to sign commits which they push to public branches (not including PRs), many collaborators already do so.

[phra]

@tniessen that would be already a big improvement! 💯

[Fishrock123]

As you can see on this repository you have both started to contribute to my brand new repository: https://github.com/phra/git-author-commit/commits/master

Right - at least I've known about this for a long time already.
Our existing crosslinking policies already mitigate this though as all (except some release) commits have references to discussions in the issue tracker. That makes it much easier to find if a commit wasn't what was agreed upon.

[phra]

I've sent a report to GitHub via HackerOne to ask for a visual feedback when the authors of commit/push don't match (like the Verified badge) and for an opt-in option to globally forbid pushing commits that pretend to be authored by us but they are not GPG signed. I can keep you updated about their response.

[tniessen]

globally forbid pushing commits that pretend to be authored by us but they are not GPG signed

I might miss your point here, but I don't think this is going to work. If I push a signed commit and someone else cherry-picks it onto another branch, he won't be able to push it?