-1

I want to find a way for a git hosting platform that will log, somehow, every time I push a commit.

I want this log to be untamperable, in the sense that I will not be able to make it look as if a commit was done earlier than it was actually done.

I tried searching the web for solutions but didn't find any.

Several solutions include:

  • A specific hosting platform with a setting to specifically log push times, in a place not editable to the users and in a way that cannot be faked
  • A git hosting platform where I can look at git's internal directories and see the modification date of git objects
  • Anything else you may think of

Does any of you know anything that might fit the requirements?

Thanks!

Roee Sinai
  • 1
  • 2
  • Many Git hosting providers already have push logs. (I know GH and AzDO have it, and I assume GL and BB do too.) Note someone with access to the server could theoretically still "fake" it, though if it's an online service that would be an MS employee (for GH and AzDO) instead of the repo owner. You could be reasonably sure the push logs are accurate in that case. Note this still doesn't prove when a git commit was "made", only the first time it was pushed into the server tracking those pushes. – TTT Feb 13 '23 at 20:54
  • Thank you very much @TTT! I searched whether or not things like this exist and couldn't find any. Can you send a link to a documentation of these logs? – Roee Sinai Feb 14 '23 at 18:49
  • We're starting to wade into the product recommendation waters here which would lead to the question being closed, but there are some existing questions that should point you in the right direction, for [GitHub](https://stackoverflow.com/q/62650783/184546), and [Azure DevOps directly in the UI](https://stackoverflow.com/q/40320651/184546) and also using the [AzDO API](https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pushes/list?view=azure-devops-rest-7.0&tabs=HTTP). Note the AzDO question is about force pushes, but that's just a subset of all pushes which is what the image depicts. – TTT Feb 14 '23 at 21:09
  • This looks helpful for [GitLab](https://stackoverflow.com/a/69627217/184546), and here's [BitBucket](https://confluence.atlassian.com/bitbucketserver/push-logs-998882984.html). – TTT Feb 14 '23 at 21:19
  • I looked at the ones for github and gitlab and they are no good for me. If I understand correctly, the github logs you are talking about are deleted after 90 days, so the proof is not permanent, and the gitlab logs can be accessed only by using a local gitlab platform, which is not good for me because I want my backup to be in an independent website, and also where I cannot modify it myself and add fake entries. Does this seem correct to you or have I missed something? Do you know about similar limitattions in the other platforms? Thanks! @TTT – Roee Sinai Feb 22 '23 at 21:15
  • I haven't used push logs for GL and GH before so I can't confirm that, but I know the logs in AzDO don't go away after a certain time. (I can still see push logs from 4 years ago.) – TTT Feb 23 '23 at 15:29

1 Answers1

0

In the end I used https://freetsa.org to timestamp my commits when they are committed.

That way, they are signed with timestamp and with a private key I don't have access to.

Specifically, that's my post-commit file:

commit_hash=`git rev-parse HEAD`
toplevel_path=`git rev-parse --show-toplevel`
path=$toplevel_path/timestamps/$commit_hash
openssl ts -query -digest $commit_hash -no_nonce -out $path.tsq
curl -H "Content-Type: application/timestamp-query" --data-binary \@$path.tsq https://freetsa.org/tsr > $path.tsr || rm $path.tsr
rm $path.tsq

If I want to check the time in the signature I can use the command openssl ts -reply -in timestamps/<commit-hash>.tsr -text and if I want to check the timestamp's validity I can use the command openssl ts -verify -digest <commit-hash> -in timestamps/<commit-hash>.tsr -CAfile cacert.pem -untrusted tsa.crt where cacert.pem and tsa.crt are downloaded from https://freetsa.org.

P.S. Partial credit to chatGPT. In an earlier answer which got deleted someone posted a reply that seems to have come from chatGPT, in which one of the solutions was timestamping the commits. I didn't undertand it at first because I thought of timestamping it myself with a private key that I would generate and asked in a comment if there is a timestamp service, but I remained unanswered, until I thought to search google for a cryptographic timestamp service and found that this thing actually (unsurprisingly) exists.

Roee Sinai
  • 1
  • 2