IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [git]

A popular distributed revision control system. Built for speed, data integrity and with support for distributed, non-linear workflows.

100 questions
62
votes
1 answer

Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?

Simply put, I am wondering why would one need to sign one's commits with a GPG key when contributing to GitHub when one's already required to provide an SSH public key?
Mahmoud Tantawy
  • 723
  • 1
  • 5
  • 6
47
votes
3 answers

Security implications of stolen .git/objects/ files

As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files. I already modified .htaccess to make .git and its content inaccessible. The attacker may get…
Rudrakshya Barman
  • 563
  • 3
  • 6
32
votes
3 answers

Is it safe to share .git folder of a public repo?

Say I cloned a repo, then maybe worked on it a bit. Then I reverted/pushed all changes, so my friend has all the repo files. Is it safe for me to send him the .git folder? Is there any private information there, such as my username, my email,…
Paul
  • 583
  • 5
  • 8
14
votes
1 answer

Git server security

I want to install a Git server for my company. I'm able to get a Windows virtual machine. Now I've been asked to assess its security aspects. I'm lost on how to achieve this goal. As it is a Windows virtual machine I'll be using this. Is there a way…
Flying Swissman
  • 243
  • 1
  • 8
14
votes
1 answer

Can I use GitHub and be PCI DSS compliant?

Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server?
iwex
  • 243
  • 2
  • 6
12
votes
1 answer

Is it safe to share your `gitconfig`'s `user.signingkey` value with the world?

I'd like to publish my .gitconfig file on GitHub, which includes a signing key. As far as I understand, since this is related to code signing, the key referenced there is the ID of my private GPG key. How safe is it to share it with the world?
jviotti
  • 511
  • 2
  • 5
  • 11
12
votes
2 answers

Where should a keystore (.jks) be stored in a repository

I've got a question about the best practice in storing a Keystore file (.jks) in source control. This Keystore is called by a stand-alone Java component that retrieves a private key for the purpose of signing SAML assertions. For security purposes I…
rdChris
  • 181
  • 1
  • 1
  • 6
11
votes
1 answer

Should I recreate Git tags after revoking a signing key?

Let's say my signing key has been compromised and I have to revoke it. What happens to the changesets and tags already signed? Should I rewrite them with the new signing key?
Antoine
  • 549
  • 1
  • 4
  • 7
10
votes
2 answers

Is it safe to store APK signing passwords in private git repository?

I develop android game using cocos2d-x. For android release, it contain this fields in proj.android/gradle.properties: # uncomment it and fill in sign information for release mode #RELEASE_STORE_FILE=file path of…
val is still with Monica
  • 216
  • 2
  • 13
9
votes
1 answer

Should I worry about GitHub using IP addresses that are described as having an unknown host?

Today, I got a message while doing a git push, saying Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts. It seems as if it's consistent with what GitHub uses, based on What IP addresses does…
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27
9
votes
3 answers

Is the action of accepting a pull request on Github vulnerable to race conditions?

On github, any person (let's call them Alice) can fork a project, make modifications to it, and then submit those changes to the project owner(Bob) as a pull request, and the idea is that Bob reviews the submitted code to make sure it is up to…
Shelvacu
  • 2,333
  • 4
  • 16
  • 29
7
votes
1 answer

How do I know which subkey GitHub is using for signing?

I added my gpg subkey to GitHub today and noticed that regardless of which subkey I export, the PUBLIC KEY BLOCK is the same. I have since found this post, that explains why: is-it-possible-to-export-a-gpg-subkeys-public-component? In adding this…
nickbdyer
  • 173
  • 1
  • 4
7
votes
2 answers

Why use dedicated SSH keys for different hosts (like GitHub)?

I recently discovered github-keygen, a tool that helps you set up SSH for use with GitHub. One of the things the tool does is to create a new SSH private key dedicated to GitHub exchanges; the manual claims that "this is much better than using the…
Psychonaut
  • 615
  • 4
  • 14
7
votes
1 answer

How can CVE-2016-2324 and -2315 be mitigated on Mac OS X?

The recent git remote execution vulnerability states all git clients with version <2.7.1 are vulnerable and that most linux distributions have included the fixes already. However, as of today, $ git --version git version 2.6.4 (Apple…
Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
6
votes
1 answer

Recover lost GPG public key

I sign my Git commits with a GPG key which I stored on an old computer. I lost this key so I created a new one to sign my commits with. It has not been compromised so I do not wish to revoke it. However, I accidentally deleted my public key too (I…
Zak
  • 163
  • 4
1
2 3 4 5 6 7