In today’s world, people who commit fraud, or scammers, frequently attempt to masquerade as another person or entity. Identity theft happens for a multitude of reasons, including but not limited to stealing credit, credentials or currency, or as an attempt to discredit by falsely attributing statements or other content to someone. Unfortunately, verifying someone’s identity and distinguishing truth from lies can be difficult for most people.

As an example, practically all modern day computer software is to some degree reliant on open source code that is hosted and collaborated on GitHub: The world’s largest open source code repository. In a GitHub repository, the full source code for a project is available along with full authorship and history, and GitHub makes efforts to make this information as accessible as possible (such as drawing GitHub user avatars next to any code authored in their name). What many people may not realize is that this information is entirely under the control of the repository owner and can be trivially forged.

Open source software is supposed to be all about the code rather than the author so this doesn’t seem like a serious problem at first, but in practice most software developers can’t verify all the code all the time, so reputation-based trust becomes a habit. Trust in reputation, or an identity, opens up an attack vector similar to phishing, where people can be tricked into trusting something based on a familiar name.

A scammer could easily fork a project to a similar repository URL and make additional commits in the name of a credible person, and either try to trick people into using their repository instead of the official one, or they could submit pull requests to other forks or back to the original, hoping that people mistake the additions as coming from a legitimate source. Another possible consequence is that disagreeable content could be committed in someone else’s name in an attempt to hurt their reputation in the developer community. As we’ve seen with SickRage, this could definitely lead to issues.

See Proof of Concept:

The good news is that there is a solution for this: Git and GitHub supports cryptographic signatures, making it possible to verify if a commit truly comes from a trusted source. The bad news is that very few projects actually make use of this feature. Therefore, we have put together this tutorial for how to set up GPG on your computer and begin signing your email messages and Git commits:

How to Setup GPG

Download GPG Windows: [GnuPG](https://www.gnupg.org)

macOS: Use [Homebrew](https://brew.sh) to brew install gpg

Linux: apt install gpg (or pacman/yum/etc) Prepare your Command Line Interface (CLI) for interacting with GPG Windows: Install and use GitForWindows (https://gitforwindows.org/)

macOS: Use Terminal

Linux: Use Terminal Generate GPG keys gpg --full-generate-key Make sure to make a strong password

Make sure to use your e-mail address from github

Write down the Long Key ID Look for a prompt that looks like: “gpg: key 58DF0DD1C1FFF04F marked as ultimately trusted” Write down those 16 digits, this is your Long Key ID

Backup your GPG keys in an encrypted/safe place or even on paper in a safe Note your Long Key ID if you haven’t already gpg --list-secret-keys

Look for the line beginning with sec

There will be a long hex string; the last 16 digits of which are the Long Key ID Checkout the GPG Cheat Sheet](http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/)

How to Upload your Key to a Keyserver

Type this: gpg --keyserver pgp.mit.edu --send-key Other keyservers: Keys.gnupg.net keyserver.ubuntu.edu



How to Sign a Message

Type this: gpg --clearsign

Type your message

Press CTRL+D Optionally, for an existing file, you can just run gpg --clearsign file.txt A file called file.txt.asc will be output.



How to Verify a Signed Message

Type this: gpg --verify

Paste your message

Press CTRL+D Optionally, for an existing file, you can just run gpg --verify file.txt.asc



How to Encrypt a Message

Type this: gpg --encrypt --armor

Enter recipient’s Long Key ID

Press enter when done adding recipients

Type your message

Press CTRL+D Optionally, for an existing file, you can just run gpg --encrypt file.txt A file called file.txt.gpg will be output.



How to Decrypt a Message

Type this: gpg --decrypt

Paste your message

Press CTRL+D Optionally, for an existing file, you can just run gpg --decrypt file.txt.gpg



How to Add Your GPG Key to Github

Type this: macOS: gpg --armor --export `gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1p' | pbcopy`

Linux: apt install xclip gpg --armor --export `gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1{p;q}'` | xclip -selection c

Windows: export V=`gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1{p;q}'` gpg --armor --export $V | clip

Go to Github and add it. [Github Help]

How to Sign Git Commits and Tags

Tell Git which GPG key you want to use for signing: gpg --list-secret-keys

git config --global user.signingkey your-key-id-here Use the -S flag when making commits to include a digital signature (you will need Git v1.7.9 or above): git commit -S -m "My signed commit" Use the -s flag when creating tags to make it a signed tag: git tag -s mytag -m "My signed tag" You can configure Git to always sign your commits: git config --global commit.gpgsign true

Special thanks to contributors: Andrew Lee, Nick Calaway, Jon Roudier, Jayson Quayle, Ted Kim, Richard Lee, Chris Miller, Tommie Podzemski, and Caleb Chen.