git and Trusted Timestamps or DOI for private repo?

Question

We are using git / github, and we have to be able to proof that a specific commit / tag was done before a specific time, we want to use Trusted Timestamp for this, as they seem to be the easiest way of achieving this.

Another option would be a DOI, but the repo is private (embargoed due to usage in internal projects) and will only be public at a later stage, but the timestamp should be for the time of the initial commit / tag.

As I understand it, the timestamp is generated based on the files and a hash is created, which can be verified later and proves that it was created at a certain date and time.

But I am struggling on how I can use these in git / github?

Do I create the Trusted Timestamp of the hash created by git and include it in a tag, i.e. request the Trusted Timestamp after the commit which I want to stamp?

Do I add the timestamp as file to the commit, i.e. request it before the commit? But what do I use to create Trusted Timestamp for?

Answer 1

I am using now OriginStamp which integrates nicely with github as described here in general and at this site specifically for github.

If I understand it correctly, it gives a Trusted Timestamp based on the generated hash from git and deposits it in the bitcoin blockchain.

Answer 2

Git does not support any of this out of the box, but a quick scan of your link (I did not delve into the RFC, nor the ANSI X9.95 standard) suggests that the way to do this is to make the commit itself, then feed the raw commit data—which you can obtain via git cat-file -p hash—to the Time Stamping Authority (TSA) that generates the timestamp, and put whatever data it generated into an annotated tag, tagging that commit. It will be easy to demonstrate that you have stored the TSA's data in the annotated tag, since that data show up when you print the tag's content, and the TSA will then show that you provided them the commit data.

... But I am struggling on how I can use these in git / github?

You'll be able to make the commit anywhere, but you will need a local clone to obtain the raw commit text. The commit text itself looks like this:

$ git cat-file -p HEAD | sed 's/@/ /'
tree 191f960868564ef1f0978328589aa191219f1ab8
parent 96f29521a3908eb80b9552f11f2b75ca34475686
author Junio C Hamano <gitster pobox.com> 1525762230 +0900
committer Junio C Hamano <gitster pobox.com> 1525762789 +0900

The fifth batch for 2.18

Signed-off-by: Junio C Hamano <gitster pobox.com>

and it's really the tree hash that you will protect here. Since it's the tree hash you're protecting, it would in theory be possible to insert the TSA's data directly into the commit text, but this part would be significantly trickier than using annotated tags. To use the annotated tags, you just deliver the full commit text to the TSA; they provide you with a hash, in whatever form they provide it, and you turn that into something suitably text-ish to store in the annotated tag, the same way Git uses GPG-signatures.

You then run (locally, in your repository) git tag -a as usual, paste the text-ified TSA data in your tag, and now you have an annotated tag storing the TSA data. To send this data to GitHub, you simply git push the tag:

git push origin refs/tags/<tagname>

Anyone cloning the repository gets the annotated tag, and git show tagname (or git cat-file -p refs/tags/tagname) extracts the annotation, which contains your text-ified TSA data. Compare with, e.g.:

$ git show v2.17.0 | sed 's/@/ /'
tag v2.17.0
Tagger: Junio C Hamano <[email protected]>
Date:   Mon Apr 2 10:14:24 2018 -0700

Git 2.17
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE4fA2sf7nIh/HeOzvsLXohpav5ssFAlrCZPAACgkQsLXohpav
5suOTg/+I+qxQFmQyi3Ms1VAzM3wefJ9Ut4qBV5TKCu+wY21c4ZvTk9kvmJN+qYK
MDi6smYlCyj7YD1JqbPEyEoUgb/7TjylA9dBVwrCk8HoyAyLQpwixgkZxLLJEEzE
9EpzAg65fHST//DYMr0pZMee9POKL0KU4ekAJKsrfgRF4rA29OwvkrKvNw9DzAQf
gfIBQktNGzGaKhyjS9AdFR7K7N8vy1hGWPWwAWkxRWRwa2vsENdPuqLMstJqUzmP
3OEqA5OFZ7RDr9WrrNORbCN1iIyAQQ7GzZEMwT1mXhHB+b91F0SO766REnkgfwa1
bMgjpqfzAjoSzeafg5t1jAqm+MvgXQNP4KCWsk6ZtstWj7xfgyuhZ2osTdPUNaeT
tqRdhmrShQ+lMY5uuhJHr7kqUvqt3INpE9KD19nmlPvgPbYP5mDpW8oZfEGTM+iw
vCQqE5AZ5SivhEkkSTDgNdFJemvX2QbtRBiG8RyhWTLpRUGp9q1lgD1KJZlxjrdX
ovqGRNhkRowaGVpfoFeFs5256cxB9FkttE5MEj5FoSB8G4/FdUhkm4qTWXP5fZKt
d89PyWvTXn7x8rKFs/XLMscDnc9kCgnyt0ugYZZxjb4Mqs59A6epE+ylX/j9DDFW
6ZfTteMqLRtDtaEntJFQS9CatSoMpdlXUluKvoWcD9uy57WTayQ=
=JgMH
-----END PGP SIGNATURE-----

commit 468165c1d8a442994a825f3684528361727cd8c0 (tag: v2.17.0, origin/maint)
Author: Junio C Hamano <[email protected]>
[snip rest]