14

As a scientist I would like to keep some official record of the time I check something into my Git repository. This in order to later back up claims of who invented what first during for instance patent disputes.

At the moment I from time to time add a tag to my repository like so:

git tag -s -m "`date`" 2012-08-20

and push the tags to the central server:

git push --tags

Pulling up a tag shows the date I signed it with my key:

git tag -v 2012-08-20
object 2d6f6035270e8e44c035431e99be8da3fccee095
type commit
tag 2012-08-20
tagger My Full Name <name@institution> 1345466433 +0200

Mon Aug 20 14:40:33 CEST 2012
gpg: Signature made Mon Aug 20 14:40:37 2012 CEST using RSA key ID somekey
gpg: Good signature from "My Full Name <name@institution>"
gpg:                 aka "My Full Name <personal-email>"

My question is how secure these dates are? Is it possible tamper with them later on?

EDIT: to clarify a but further, I wish to be able to prove that it would be very unlikely that I tampered with the tags later on.

Marijn van Vliet
  • 5,239
  • 2
  • 33
  • 45
  • When signing executable code with Microsoft Authenticode signature, you can use a "time-stamping" service, which verifies the time that the signature was stamped, as long as you trust the time-stamping service provider. I don't know of any other way to sign something with a time-stamp, especially if it would hold up legally, but you might search for that term. – Marcus Adams Aug 20 '12 at 13:47

3 Answers3

17

What Git guarantees is: If the date (or the rest of the tag, or the commits attached to it etc.) are altered, the SHA1 of the tag will change.

However, to make this useful, you must somehow prove what the original SHA1 tag was, and that you already had it at the claimed date of invention.

Otherwise, to fraudulently claim that you invented something in January 1980, you could just rewind your computer's date to 1980 and create the repository with the necessary commits, tags and all - git would not know, as it can only believe what the system clock tells it.

So if you want to prove that you invented/wrote something prior to some date in the past, git (alone) cannot help you, nor can any form of signing alone. What you need is Trusted timestamping. There are various different schemes, but all require one or more third parties that essentially vouch for the correctness of the timestamp.

sleske
  • 81,358
  • 34
  • 189
  • 227
3

What you want is a certified timestamp as described by Ryan J in this recent thread How can I use RFC3161 (trusted) timestamps to prove the age of commits in my Git repository?

This appears to be a certified, verified way of recording the sha1 of the relevant tip commit.

Community
  • 1
  • 1
Philip Oakley
  • 13,333
  • 9
  • 48
  • 71
3

You could embed your git commit sha1 into the Bitcoin blockchain by using a service such as http://www.proofofexistence.com/.

Olivier Lalonde
  • 19,423
  • 28
  • 76
  • 91