aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md24
1 files changed, 6 insertions, 18 deletions
diff --git a/README.md b/README.md
index bc8a294..122a2e6 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
With only 3 commands *anyone* can find out the dates and exact times, down to the second, that a developer makes commits.
-```bash
+```sh
git clone <target-repo>
cd <target-repo>
git log --format=fuller
@@ -23,30 +23,18 @@ Over a long enough timespan, exact commit times can be used to deduce private in
Git doesn't have a way to *remove* timestamps altogether, but both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` can be set to any arbitrary date. For maximum privacy, set the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` to any constant date in your shell's environment variables.
-```bash
+```sh
export GIT_COMMITTER_DATE="2000-01-01 00:00:00+0000"
export GIT_AUTHOR_DATE="2000-01-01 00:00:00+0000"
```
-To make the changes permanent, append the commands to ~/.bashrc:
-
-```bash
-echo -e "export GIT_COMMITTER_DATE=\"2000-01-01 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"2000-01-01 00:00:00+0000\"" >> ~/.bashrc
-```
-
If it's desirable to retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so:
-```bash
+```sh
export GIT_COMMITTER_DATE="$(date +%Y-%m-%d) 00:00:00+0000"
export GIT_AUTHOR_DATE="$(date +%Y-%m-%d) 00:00:00+0000"
```
-This provides decent privacy and still meaningful timestamps. To make the changes permanent, append the commands to ~/.bashrc:
-
-```bash
-echo -e "export GIT_COMMITTER_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"" >> ~/.bashrc
-```
-
Environment variables don't change after being set. So the dates update when a new shell is opened, not at midnight.
### 🔑 Removing Timestamps for Digital Signatures 🔑
@@ -55,8 +43,8 @@ It's important to digitally sign Git commits and especially releases to prevent
Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time <iso>`. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information:
-```bash
-#!/bin/bash
+```sh
+#!/bin/sh
gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@
```
@@ -64,7 +52,7 @@ gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@
Make Git use the new script instead of regular GPG by adding the following lines to your Git config:
-```text
+```plaintext
[gpg]
program = gpg2-git
```