Description: As noted, individual commits on GitHub are associated with timestamps that indicate their commit times. Nevertheless, it's possible to manipulate these timestamps, allowing us to alter the appearance of commits to appear as though they were made at times other than their actual commit moments. Further through the series we can also add fake contributors and add verified organizations to the list.
Solution Description:
- Adding commits recursively and then randomly modifying the dates.
- To counter the risk of forged contributor identities, GitHub introduced "Commit Signature Verification." This allows users to cryptographically sign their commits, ensuring their authenticity. However, this feature verifies the signatures themselves, not their presence. Enabling "vigilant mode" enhances the feature by displaying verification status for all commits, highlighting unsigned ones and helping detect impersonation attempts.
Output:
- See visual commits
Tests: [x] added to a proxy account
Note: This is a demonstration of a workshop when I volunteered for the Appsec village for Defcon.