diff options
| -rw-r--r-- | README.md | 7 |
1 files changed, 3 insertions, 4 deletions
@@ -28,7 +28,7 @@ export GIT_COMMITTER_DATE="2000-01-01 00:00:00+0000" export GIT_AUTHOR_DATE="2000-01-01 00:00:00+0000" ``` -If it's desirable to retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so: +To retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so: ```sh export GIT_COMMITTER_DATE="$(date +%Y-%m-%d) 00:00:00+0000" @@ -39,12 +39,11 @@ Environment variables don't change after being set. So the dates update when a n ### 🔑 Removing Timestamps for Digital Signatures 🔑 -It's important to digitally sign Git commits and especially releases to prevent man-in-the-middle attacks. GPG signatures contain their own timestamps which can be just as bad for privacy as Git timestamps. - -Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time <iso>`. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information: +GPG signatures contain their own timestamps which can be just as revealing as Git timestamps. Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time <iso>`. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information: ```sh #!/bin/sh +# file: /usr/bin/gpg2-git gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@ ``` |