We have self hosted gitlab service. We faced following scenario.
-
User account was created as sachith@example.comand after sometime this user updated email address as sachith@example2.com and this user can access to previously created projects.
-
After sometime a new user came with sachith@example.com and created gitlab account. This user has access only to newly created personal projects.
-
When sachith@example1.com user pushes a code, commit was shown as this new user with sachith@example.com, even original projects, their commits etc shown as this new user.
Hi,
Git stores the author details with the email address as raw string for each Git commit, there is no further verification by default. When someone else “impersonates” the account by using the same email address, the mapping in the frontend links the username and email.
One way to verify the author is to add an additional security layer with GPG keys, and enforcing users to sign their commits with their GPG key (git commit -s). The GPG key is then linked to verified user profiles, and will show a badge for the commit details in the UI.
More details in the documentation: Signing commits with GPG | GitLab
If you want to either fix the author email address in commit history, or apply signing commits, the Git history has to be rewritten, which can have impacts on existing data (git tags, etc.). Another way would be blocking the email address from being used, or re-assign the email address into the correct user profile as administrative action. Recommend to define a plan and inform the users before taking action.
Cheers,
Michael
2 Likes