有方法证明一个 Git 提交是在某个特定的时间点创建的吗?

huangapple go评论60阅读模式
英文:

Is there a way to prove that a git commit was made at a certain time?

问题

我想找到一个能够记录每次提交的 Git 托管平台的方法,以某种方式记录下来。

我希望这个日志是不可篡改的,也就是说,我不能让它看起来像是提交是在实际提交之前完成的。

我尝试在网上寻找解决方案,但没有找到任何信息。

几种可能的解决方案包括:

  • 一个特定的托管平台,具有特定的设置,可以记录推送的时间,将日志存储在用户无法编辑的地方,并且无法伪造
  • 一个 Git 托管平台,我可以查看 Git 的内部目录,并查看 Git 对象的修改日期
  • 你可能想到的其他任何解决方案

你们有没有了解符合这些要求的任何信息?

谢谢!

英文:

I want to find a way for a git hosting platform that will log, somehow, every time I push a commit.

I want this log to be untamperable, in the sense that I will not be able to make it look as if a commit was done earlier than it was actually done.

I tried searching the web for solutions but didn't find any.

Several solutions include:

  • A specific hosting platform with a setting to specifically log push times, in a place not editable to the users and in a way that cannot be faked
  • A git hosting platform where I can look at git's internal directories and see the modification date of git objects
  • Anything else you may think of

Does any of you know anything that might fit the requirements?

Thanks!

答案1

得分: 0

在最后,我使用https://freetsa.org来为我的提交添加时间戳。

这样,它们会被时间戳和我无法访问的私钥签名。

具体来说,这是我的post-commit文件:

commit_hash=`git rev-parse HEAD`
toplevel_path=`git rev-parse --show-toplevel`
path=$toplevel_path/timestamps/$commit_hash
openssl ts -query -digest $commit_hash -no_nonce -out $path.tsq
curl -H "Content-Type: application/timestamp-query" --data-binary @$path.tsq https://freetsa.org/tsr > $path.tsr || rm $path.tsr
rm $path.tsq

如果我想检查签名中的时间,我可以使用以下命令:

openssl ts -reply -in timestamps/<commit-hash>.tsr -text

如果我想检查时间戳的有效性,我可以使用以下命令:

openssl ts -verify -digest <commit-hash> -in timestamps/<commit-hash>.tsr -CAfile cacert.pem -untrusted tsa.crt

其中cacert.pem和tsa.crt是从https://freetsa.org下载的。

附注:部分感谢chatGPT。在早些被删除的回答中,有人发布了一条似乎来自chatGPT的回复,在其中一个解决方案是为提交添加时间戳。一开始我不太明白,因为我考虑过使用自己生成的私钥为其添加时间戳,并在评论中询问是否有时间戳服务,但一直没有回答,直到我想到要在谷歌上搜索加密时间戳服务,发现这个东西实际上(不出所料)存在。

英文:

In the end I used https://freetsa.org to timestamp my commits when they are committed.

That way, they are signed with timestamp and with a private key I don't have access to.

Specifically, that's my post-commit file:

commit_hash=`git rev-parse HEAD`
toplevel_path=`git rev-parse --show-toplevel`
path=$toplevel_path/timestamps/$commit_hash
openssl ts -query -digest $commit_hash -no_nonce -out $path.tsq
curl -H &quot;Content-Type: application/timestamp-query&quot; --data-binary \@$path.tsq https://freetsa.org/tsr &gt; $path.tsr || rm $path.tsr
rm $path.tsq

If I want to check the time in the signature I can use the command openssl ts -reply -in timestamps/&lt;commit-hash&gt;.tsr -text and if I want to check the timestamp's validity I can use the command openssl ts -verify -digest &lt;commit-hash&gt; -in timestamps/&lt;commit-hash&gt;.tsr -CAfile cacert.pem -untrusted tsa.crt where cacert.pem and tsa.crt are downloaded from https://freetsa.org.

P.S. Partial credit to chatGPT. In an earlier answer which got deleted someone posted a reply that seems to have come from chatGPT, in which one of the solutions was timestamping the commits. I didn't undertand it at first because I thought of timestamping it myself with a private key that I would generate and asked in a comment if there is a timestamp service, but I remained unanswered, until I thought to search google for a cryptographic timestamp service and found that this thing actually (unsurprisingly) exists.

huangapple
  • 本文由 发表于 2023年2月14日 01:16:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/75439148.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定