Enhance your Codebase Integrity and Accountability by Verifying Commits

Our company recently upgraded Bitbucket, allowing us to sign our commits. This feature was introduced in September 2024, even though GitHub has had it for years. I can't emphasize enough the significance of utilizing this feature. However, I find it challenging to explain its importance to my colleagues. As a result, I have created an example showcasing what can be made by an attacker, colleague, or external helper, using my friend Thorsten as a reference.

Picture a typical developer's environment: git, Bitbucket, and a crucial project. Thorsten was irritating today, so I'm seeking payback :).

Create a proper branch, e.g. evil or develop or main. For me it is thorsten_imposter

Change your local name and email:

git config user.name "Thorsten"
git config user.email "Thorsten@myprivatebank.com"

Create a devilish change

Commit your change and push it

git commit -am'Bad boy'
git push

Look at the web interface of Bitbucket

I have tried different combinations of name and email. It looks like email is the unique ID our company uses. If I use thorsten2@myprivatebank.com, the user does not exist—see the second result.

What I find terrifying is that the user's photo and other details are automatically connected. You can click on the image to get a complete profile with a unique URL.

Summary

I successfully forged a commit in Thorsten's name. I can transfer money to my account, and he will be accountable. Remember, this can be an external developer. Or any person with access to your git. It is almost impossible to find out.

I was able to forge a commit by a non-developer. He did not even have rights to access git, but his profile was linked to the commit. Yes, it was my product owner; the next one was the CEO. Everything is possible—even the CEO can launder the money :).

What to do

1. Set up your key according to Atlassian documentation.

2. Persuade everyone in your team to set up their keys.

3. Set up Intellij or other IDE to use the key or use git commit -S

4. Start verifying the commit signature with a hook. Documentation is available.

If you did well, try to push an unsigned commit. You should see something like this:

Now, your work is done, and your repository has accountability and integrity again. Share the knowledge, and have a safe day.