public git contributions? everyone knows your mail address now
Note: This isn’t any new information or vulnerability. Git is based on the later explained things and having your email in commit messages is essential. I’ve decided to write this post mainly because many people are unaware of this and are leaking their private e-mail addresses in this way.
update 2023-12-21
Looks like you can set up protection on GitHub to block pushes that contain a private email.
git commits
When looking at git commits using git log, we can see something like this:
commit 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
Author: Gian Klug <[email protected]>
Date: Thu Oct 5 15:29:58 2023 +0200
Some commit message
As we can see, the Author field contains a name and an e-mail address. The author information is added to the commit during the git commit stage, it can either be manually set by a user or automatically be set by a git integration in an IDE, for example JetBrains or VS Code.
the issue
Many people don’t realize that they’re leaking their (sometimes private) e-mail address when contributing to public git repositories.
I’ve checked multiple accounts of people and most of them use some private e-mail address that they probably didn’t intend to publish to the internet. Sometimes, they even use their real name in that address while they usually care about OPSEC.
When not using the git CLI, this even happens automatically, people sign into their GitHub account using oauth2 to access their repositories and some git integration automatically configures their commit author to be the GitHub profile e-mail. Over the CLI you usually have configure the author information yourself when you try to commit while it hasn’t been set:
*** Please tell me who you are.
Run
git config --global user.email "[email protected]"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: unable to auto-detect email address (got 'root@b50c5d03922f.(none)')
why emails can be important
Git has a feature to sign commits using a GPG key. This can be useful for proving the authenticity of your commits and is a nice security feature. It relies on using a real e-mail in commit messages and then validating the GPG signature. See the docs from GitHub.
mitigation
GitHub even has an article on the matter that you can find here.
Web uploads or actions done directly on GitHub are already protected by an alias from GitHub:
commit d991a15851d7599d98547be0ee3bca7c8e4a134b (HEAD -> main, origin/main, origin/HEAD)
Author: Gian Klug <51193103+gianklug@users.noreply.github.com>
Date: Thu Oct 5 15:49:57 2023 +0200
Add files via upload
commit a1fabc61e670de58f52565cf3a4d85dcf18e3e0f
Author: Gian Klug <51193103+gianklug@users.noreply.github.com>
Date: Thu Oct 5 15:49:42 2023 +0200
Initial commit
I recommend to use a separate or not personally identifiable e-mail for committing, you can then even add it as a secondary e-mail to your GitHub account and set it as the default. You can also set the provided noreply mail from GitHub here:
git config --global user.email "[email protected]"
If you have an email in your commit history on any repository that you wanna change, you can use git filter-branch to overwrite author information, see an example gist here.
trivia
The git author information is irrelevant when pushing to GitHub as authentication is usually done via a token or ssh-key. That’s why you can commit as any person, for example here “Linus Torvalds” committed. To mitigate this, the mentioned commit signing from above can be used.
tl;dr
The e-mail address in commit messages can be useful for signing commits, however if you care about OPSEC, use an address that doesn’t reveal any more information about yourself.