diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 24 |
1 files changed, 6 insertions, 18 deletions
@@ -4,7 +4,7 @@ With only 3 commands *anyone* can find out the dates and exact times, down to the second, that a developer makes commits. -```bash +```sh git clone <target-repo> cd <target-repo> git log --format=fuller @@ -23,30 +23,18 @@ Over a long enough timespan, exact commit times can be used to deduce private in Git doesn't have a way to *remove* timestamps altogether, but both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` can be set to any arbitrary date. For maximum privacy, set the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` to any constant date in your shell's environment variables. -```bash +```sh export GIT_COMMITTER_DATE="2000-01-01 00:00:00+0000" export GIT_AUTHOR_DATE="2000-01-01 00:00:00+0000" ``` -To make the changes permanent, append the commands to ~/.bashrc: - -```bash -echo -e "export GIT_COMMITTER_DATE=\"2000-01-01 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"2000-01-01 00:00:00+0000\"" >> ~/.bashrc -``` - If it's desirable to retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so: -```bash +```sh export GIT_COMMITTER_DATE="$(date +%Y-%m-%d) 00:00:00+0000" export GIT_AUTHOR_DATE="$(date +%Y-%m-%d) 00:00:00+0000" ``` -This provides decent privacy and still meaningful timestamps. To make the changes permanent, append the commands to ~/.bashrc: - -```bash -echo -e "export GIT_COMMITTER_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"" >> ~/.bashrc -``` - Environment variables don't change after being set. So the dates update when a new shell is opened, not at midnight. ### 🔑 Removing Timestamps for Digital Signatures 🔑 @@ -55,8 +43,8 @@ It's important to digitally sign Git commits and especially releases to prevent Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time <iso>`. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information: -```bash -#!/bin/bash +```sh +#!/bin/sh gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@ ``` @@ -64,7 +52,7 @@ gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@ Make Git use the new script instead of regular GPG by adding the following lines to your Git config: -```text +```plaintext [gpg] program = gpg2-git ``` |