英文:
Is there a way to prove that a git commit was made at a certain time?
问题
我想找到一个能够记录每次提交的 Git 托管平台的方法,以某种方式记录下来。
我希望这个日志是不可篡改的,也就是说,我不能让它看起来像是提交是在实际提交之前完成的。
我尝试在网上寻找解决方案,但没有找到任何信息。
几种可能的解决方案包括:
- 一个特定的托管平台,具有特定的设置,可以记录推送的时间,将日志存储在用户无法编辑的地方,并且无法伪造
- 一个 Git 托管平台,我可以查看 Git 的内部目录,并查看 Git 对象的修改日期
- 你可能想到的其他任何解决方案
你们有没有了解符合这些要求的任何信息?
谢谢!
英文:
I want to find a way for a git hosting platform that will log, somehow, every time I push a commit.
I want this log to be untamperable, in the sense that I will not be able to make it look as if a commit was done earlier than it was actually done.
I tried searching the web for solutions but didn't find any.
Several solutions include:
- A specific hosting platform with a setting to specifically log push times, in a place not editable to the users and in a way that cannot be faked
- A git hosting platform where I can look at git's internal directories and see the modification date of git objects
- Anything else you may think of
Does any of you know anything that might fit the requirements?
Thanks!
答案1
得分: 0
在最后,我使用https://freetsa.org来为我的提交添加时间戳。
这样,它们会被时间戳和我无法访问的私钥签名。
具体来说,这是我的post-commit文件:
commit_hash=`git rev-parse HEAD`
toplevel_path=`git rev-parse --show-toplevel`
path=$toplevel_path/timestamps/$commit_hash
openssl ts -query -digest $commit_hash -no_nonce -out $path.tsq
curl -H "Content-Type: application/timestamp-query" --data-binary @$path.tsq https://freetsa.org/tsr > $path.tsr || rm $path.tsr
rm $path.tsq
如果我想检查签名中的时间,我可以使用以下命令:
openssl ts -reply -in timestamps/<commit-hash>.tsr -text
如果我想检查时间戳的有效性,我可以使用以下命令:
openssl ts -verify -digest <commit-hash> -in timestamps/<commit-hash>.tsr -CAfile cacert.pem -untrusted tsa.crt
其中cacert.pem和tsa.crt是从https://freetsa.org下载的。
附注:部分感谢chatGPT。在早些被删除的回答中,有人发布了一条似乎来自chatGPT的回复,在其中一个解决方案是为提交添加时间戳。一开始我不太明白,因为我考虑过使用自己生成的私钥为其添加时间戳,并在评论中询问是否有时间戳服务,但一直没有回答,直到我想到要在谷歌上搜索加密时间戳服务,发现这个东西实际上(不出所料)存在。
英文:
In the end I used https://freetsa.org to timestamp my commits when they are committed.
That way, they are signed with timestamp and with a private key I don't have access to.
Specifically, that's my post-commit file:
commit_hash=`git rev-parse HEAD`
toplevel_path=`git rev-parse --show-toplevel`
path=$toplevel_path/timestamps/$commit_hash
openssl ts -query -digest $commit_hash -no_nonce -out $path.tsq
curl -H "Content-Type: application/timestamp-query" --data-binary \@$path.tsq https://freetsa.org/tsr > $path.tsr || rm $path.tsr
rm $path.tsq
If I want to check the time in the signature I can use the command openssl ts -reply -in timestamps/<commit-hash>.tsr -text
and if I want to check the timestamp's validity I can use the command openssl ts -verify -digest <commit-hash> -in timestamps/<commit-hash>.tsr -CAfile cacert.pem -untrusted tsa.crt
where cacert.pem and tsa.crt are downloaded from https://freetsa.org.
P.S. Partial credit to chatGPT. In an earlier answer which got deleted someone posted a reply that seems to have come from chatGPT, in which one of the solutions was timestamping the commits. I didn't undertand it at first because I thought of timestamping it myself with a private key that I would generate and asked in a comment if there is a timestamp service, but I remained unanswered, until I thought to search google for a cryptographic timestamp service and found that this thing actually (unsurprisingly) exists.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论