Table of Contents
Fetching ...

On the Prevalence and Usage of Commit Signing on GitHub: A Longitudinal and Cross-Domain Study

Anupam Sharma, Sreyashi Karmakar, Gayatri Priyadarsini Kancherla, Abhishek Bichhawat

TL;DR

This study tackles commit spoofing risk on GitHub by empirically assessing how widely developers sign commits and verify signatures over a five-year window across four domains. It introduces a data-extraction framework using GitHub's REST API to analyze 60 top repositories, excludes bots and web-commits, and compares usability across Git CLI, GitHub Desktop, GitKraken, and GitHub Web. Key findings show low overall adoption (about 9–10% of user commits signed), with security-focused projects exhibiting the highest signing activity and a temporary rise following GitHub's vigilant mode and verification badges in 2021. The paper also uncovers an unintended handling of unverified emails by GitHub, discusses usability gaps across clients, and proposes recommendations to strengthen ownership attribution and reduce commit spoofing in practice.

Abstract

GitHub is one of the most widely used public code development platform. However, the code hosted publicly on the platform is vulnerable to commit spoofing that allows an adversary to introduce malicious code or commits into the repository by spoofing the commit metadata to indicate that the code was added by a legitimate user. The only defense that GitHub employs is the process of commit signing, which indicates whether a commit is from a valid source or not based on the keys registered by the users. In this work, we perform an empirical analysis of how prevalent is the use of commit signing in commonly used GitHub repositories. To this end, we build a framework that allows us to extract the metadata of all prior commits of a GitHub repository, and identify what commits in the repository are verified. We analyzed 60 open-source repositories belonging to four different domains -- web development, databases, machine learning and security -- using our framework and study the presence of verified commits in each repositories over five years. Our analysis shows that only ~10% of all the commits in these 60 repositories are verified. Developers committing code to security-related repositories are much more vigilant when it comes to signing commits by users. We also analyzed different Git clients for the ease of commit signing, and found that GitKraken provides the most convenient way of commit signing whereas GitHub Web provides the most accessible way for verifying commits. During our analysis, we also identified an unexpected behavior in how GitHub handles unverified emails in user accounts preventing legitimate owner to use the email address. We believe that the low number of verified commits may be due to lack of awareness, difficulty in setup and key management. Finally, we propose ways to identify commit ownership based on GitHub's Events API addressing the issue of commit spoofing.

On the Prevalence and Usage of Commit Signing on GitHub: A Longitudinal and Cross-Domain Study

TL;DR

This study tackles commit spoofing risk on GitHub by empirically assessing how widely developers sign commits and verify signatures over a five-year window across four domains. It introduces a data-extraction framework using GitHub's REST API to analyze 60 top repositories, excludes bots and web-commits, and compares usability across Git CLI, GitHub Desktop, GitKraken, and GitHub Web. Key findings show low overall adoption (about 9–10% of user commits signed), with security-focused projects exhibiting the highest signing activity and a temporary rise following GitHub's vigilant mode and verification badges in 2021. The paper also uncovers an unintended handling of unverified emails by GitHub, discusses usability gaps across clients, and proposes recommendations to strengthen ownership attribution and reduce commit spoofing in practice.

Abstract

GitHub is one of the most widely used public code development platform. However, the code hosted publicly on the platform is vulnerable to commit spoofing that allows an adversary to introduce malicious code or commits into the repository by spoofing the commit metadata to indicate that the code was added by a legitimate user. The only defense that GitHub employs is the process of commit signing, which indicates whether a commit is from a valid source or not based on the keys registered by the users. In this work, we perform an empirical analysis of how prevalent is the use of commit signing in commonly used GitHub repositories. To this end, we build a framework that allows us to extract the metadata of all prior commits of a GitHub repository, and identify what commits in the repository are verified. We analyzed 60 open-source repositories belonging to four different domains -- web development, databases, machine learning and security -- using our framework and study the presence of verified commits in each repositories over five years. Our analysis shows that only ~10% of all the commits in these 60 repositories are verified. Developers committing code to security-related repositories are much more vigilant when it comes to signing commits by users. We also analyzed different Git clients for the ease of commit signing, and found that GitKraken provides the most convenient way of commit signing whereas GitHub Web provides the most accessible way for verifying commits. During our analysis, we also identified an unexpected behavior in how GitHub handles unverified emails in user accounts preventing legitimate owner to use the email address. We believe that the low number of verified commits may be due to lack of awareness, difficulty in setup and key management. Finally, we propose ways to identify commit ownership based on GitHub's Events API addressing the issue of commit spoofing.
Paper Structure (30 sections, 7 figures, 4 tables)

This paper contains 30 sections, 7 figures, 4 tables.

Figures (7)

  • Figure 1: Commit spoofing. The attacker (dummy46) gets the identity information from the victims's (dummy400) public repository logs and uses it in the Git config to push malicious commits on victim's behalf. GitHub associates the commit to the victim.
  • Figure 2: The different verification badges assigned by GitHub based on commit signatures vigilantMode.
  • Figure 3: Flow diagram showing the usage of the framework for commit extraction and analysis.
  • Figure 4: Year-wise proportion of verified (valid or correctly signed) commits among different categories before and after GitHub announced vigilant mode and verification badges. This excludes commits made via bots and GitHub web. Here, in the legends, the year starts and ends on the $28^{th}$ day of April of the starting and ending year.
  • Figure 5: Proportion of old and new committers with at least 50 verified (valid or correctly signed) commits each year. The rise and fall trend in the proportion of committers with verified commits could be the reason behind similar trend in \ref{['fig:yearWiseProportion']}. The drop in the proportion in the last interval could be due to the shorter range (4 months less than other intervals with 12 months).
  • ...and 2 more figures