0

I am trying to understand what a git repo itself without a server hosting it is able to do. My goal is a bare git repo somewhere on our network drive that people can pull and push to.

I was able to create a bare git repo, clone it, commit and push to it. Using git config user.name I can even see who made which commit. That is almost ideal.

What I wonder is, if while having only a simple bare git repo I can somehow make sure that specific person actually made the commit, since git config user.name can be changed any time by a committer.

I guess account based authentication is out of consideration when not using an actual server. What I think might be possible is somehow setting allowed ssh public keys on the repo itself for people that should have access to specific branches and ideally even link a key to a specific user.name. The git command itself would then validate that the pushing user has a private key that has its corresponding public part in the repo.

Is this possible or is this the point at which an actual server needs to be running? What about PGP?

Improve this question
4
  • 1
    this is beyond the scope of what GIT can do. this is why people write software around git (like hosting servers that handle authentication). a bare repo relies on the underlying OS's directory accessibility, and uses SSH only for network reach-ability to remotes that are not publicly available. Git is a small piece of software that performs a specific job, and doesn't try to be more than that. you'll have to use the features of the OS to handle these kinds of things.
    – Frank Thomas
    Commented Jan 30 at 15:23
  • Thanks, if you care to form that into an answer I will gladly accept it.
    – patvax
    Commented Jan 30 at 17:37
  • Depends on what exactly the goal is - what you listed is not quite a goal related to security or why you're going for this approach in general. GPG signing could work, for instance.
    – Destroy666
    Commented Jan 30 at 18:22
  • @Destroy666 For now I will be working alone with the codebase but in the future it might happen that there will be more people involved. In that case I was interested if it will be possible to centrally authenticate pushing users so that their commits are definitely coming from them. The goal would be to make sure that no one could impersonate another person in their commit or something like that.
    – patvax
    Commented Jan 30 at 19:15

0

Reset to default

You must log in to answer this question.