Impersonation and Identity Theft Risk on GitHub and How to Prevent It

Posted on Feb 21, 2019 by Private Internet Access

In today’s world, people who commit fraud, or scammers, frequently attempt to masquerade as another person or entity. Identity theft happens for a multitude of reasons, including but not limited to stealing credit, credentials or currency, or as an attempt to discredit by falsely attributing statements or other content to someone. Unfortunately, verifying someone’s identity and distinguishing truth from lies can be difficult for most people.

As an example, practically all modern day computer software is to some degree reliant on open source code that is hosted and collaborated on GitHub: The world’s largest open source code repository. In a GitHub repository, the full source code for a project is available along with full authorship and history, and GitHub makes efforts to make this information as accessible as possible (such as drawing GitHub user avatars next to any code authored in their name). What many people may not realize is that this information is entirely under the control of the repository owner and can be trivially forged.

Open source software is supposed to be all about the code rather than the author so this doesn’t seem like a serious problem at first, but in practice most software developers can’t verify all the code all the time, so reputation-based trust becomes a habit. Trust in reputation, or an identity, opens up an attack vector similar to phishing, where people can be tricked into trusting something based on a familiar name.

A scammer could easily fork a project to a similar repository URL and make additional commits in the name of a credible person, and either try to trick people into using their repository instead of the official one, or they could submit pull requests to other forks or back to the original, hoping that people mistake the additions as coming from a legitimate source. Another possible consequence is that disagreeable content could be committed in someone else’s name in an attempt to hurt their reputation in the developer community. As we’ve seen with SickRage, this could definitely lead to issues.

See Proof of Concept:

The good news is that there is a solution for this: Git and GitHub supports cryptographic signatures, making it possible to verify if a commit truly comes from a trusted source.  The bad news is that very few projects actually make use of this feature. Therefore, we have put together this tutorial for how to set up GPG on your computer and begin signing your email messages and Git commits:

How to Setup GPG

  1. Download GPG
    • Windows: [GnuPG](https://www.gnupg.org)
    • macOS: Use [Homebrew](https://brew.sh) to brew install gpg
    • Linux: apt install gpg (or pacman/yum/etc)
  2.  Prepare your Command Line Interface (CLI) for interacting with GPG
    • Windows: Install and use GitForWindows (https://gitforwindows.org/)
    • macOS: Use Terminal
    • Linux: Use Terminal
  3.  Generate GPG keys
    1. gpg --full-generate-key
      • Make sure to make a strong password
      • Make sure to use your e-mail address from github
      • Write down the Long Key ID
        1. Look for a prompt that looks like: “gpg: key 58DF0DD1C1FFF04F marked as ultimately trusted”
        2. Write down those 16 digits, this is your Long Key ID
  4. Backup your GPG keys in an encrypted/safe place or even on paper in a safe
  5. Note your Long Key ID if you haven’t already
    • gpg --list-secret-keys
    • Look for the line beginning with sec
    • There will be a long hex string; the last 16 digits of which are the Long Key ID
  6. Checkout the GPG Cheat Sheet](http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/)

How to Upload your Key to a Keyserver

  1. Type this:
    • gpg --keyserver pgp.mit.edu --send-key
      1. Other keyservers:
        • Keys.gnupg.net
        • keyserver.ubuntu.edu

How to Sign a Message

  1. Type this:
    • gpg --clearsign
    • Type your message
    • Press CTRL+D
      1. Optionally, for an existing file, you can just run gpg --clearsign file.txt
        • A file called file.txt.asc will be output.

How to Verify a Signed Message

  1. Type this:
    • gpg --verify
    • Paste your message
    • Press CTRL+D
      1. Optionally, for an existing file, you can just run gpg --verify file.txt.asc

How to Encrypt a Message

  1. Type this:
    • gpg --encrypt --armor
    • Enter recipient’s Long Key ID
    • Press enter when done adding recipients
    • Type your message
    • Press CTRL+D
      1. Optionally, for an existing file, you can just run gpg --encrypt file.txt
        • A file called file.txt.gpg will be output.

How to Decrypt a Message

  1. Type this:
    • gpg --decrypt
    • Paste your message
    • Press CTRL+D
      1. Optionally, for an existing file, you can just run gpg --decrypt file.txt.gpg

How to Add Your GPG Key to Github

  1. Type this:
    • macOS:
      1. gpg --armor --export `gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1p' | pbcopy`
    • Linux:
      1. apt install xclip
      2. gpg --armor --export `gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1{p;q}'` | xclip -selection c
    •  Windows:
      1. export V=`gpg --list-secret-keys --keyid-format LONG |grep "/" |grep "sec"|awk '{print $2}'|awk '{split($0,a,"/"); print a[2]}' | sed -n '1{p;q}'`
      2. gpg --armor --export $V | clip
  2.  Go to Github and add it. [Github Help]

How to Sign Git Commits and Tags

  1. Tell Git which GPG key you want to use for signing:
    • gpg --list-secret-keys
    • git config --global user.signingkey your-key-id-here
  2.  Use the -S flag when making commits to include a digital signature (you will need Git v1.7.9 or above):
    • git commit -S -m "My signed commit"
  3.  Use the -s flag when creating tags to make it a signed tag:
    • git tag -s mytag -m "My signed tag"
  4.  You can configure Git to always sign your commits:
    • git config --global commit.gpgsign true

Special thanks to contributors: Andrew Lee, Nick Calaway, Jon Roudier, Jayson Quayle, Ted Kim, Richard Lee, Chris Miller, Tommie Podzemski, and Caleb Chen.