From 384d19226f7539bc1e6dc18e8d218db6a381969a048b5027d7b1b584286241b5 Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Thu, 15 Jun 2023 00:00:00 +0000 Subject: Make minor improvements --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 34da1c4..ef3f218 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ export GIT_COMMITTER_DATE="2000-01-01 00:00:00+0000" export GIT_AUTHOR_DATE="2000-01-01 00:00:00+0000" ``` -If it's desirable to retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so: +To retain only the day on which a commit was made, set both the `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` like so: ```sh export GIT_COMMITTER_DATE="$(date +%Y-%m-%d) 00:00:00+0000" @@ -39,12 +39,11 @@ Environment variables don't change after being set. So the dates update when a n ### 🔑 Removing Timestamps for Digital Signatures 🔑 -It's important to digitally sign Git commits and especially releases to prevent man-in-the-middle attacks. GPG signatures contain their own timestamps which can be just as bad for privacy as Git timestamps. - -Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time `. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information: +GPG signatures contain their own timestamps which can be just as revealing as Git timestamps. Luckily, GPG signature timestamps can also be forged with the option: `--faked-system-time `. For this to be persistent, Git needs to run a version of GPG that *always* forges the system time. Also, the script should exclude GPG version information since that could also leak time information: ```sh #!/bin/sh +# file: /usr/bin/gpg2-git gpg2 --faked-system-time ! --no-emit-version --no-comments $@ ``` -- cgit v1.2.3