Git Security: Notate Commit with Push Credential Identity in addition to user.name and user.email-CodePudding

I would like to know that when there is a commit within our repository and it said that it came from John Smith, that it did in fact come from John Smith. Unfortunately, it seems like if I set my local user.name and user.email to whatever value I want, and then I commit it; those values end up in the repository regardless of what credentials I used to push the changes to the repository.

Effectively, the behavior I'd like to have is that when there is a git push from a local repository to the remote repository, that the commits would be notated in some fashion to indicate which user actually pushed them to the repository, and what the timestamp was that this was done.

In my reading about this particular issue, it seems like anything besides simply adding a notation could create some extremely problematic situations (e.g. If I clone a repository from one repository, and return it to my repository, I may want to notate what user pushed that data over; but I definitely wouldn't want to replace the committer on all the history). As a result, I'm looking to notate rather than replace.

I have found

In GitHub Enterprise Server that data is available from the Push log.

On top of that GitHub can keep track of the GPG keys of people or s/mime certificate to ensure that the Committer is who they say they are.

Due to the distributed nature of Git however, it's also possible to receive commits directly from colleagues' forks or local repos or pull requests whereby the person pushing may be pushing commits they received from others. This is expected behavior in a git world.

If you care about the authenticity of the Committer, have people sign their commits either with a GPG key or a Code Signing Certificate linked to their identity to which only they have access.

For Azure DevOps Server, it's possible to create an ISubscriber server plugin (a dotnet assembly implementing a certain interface) to block commits for any reason. For Azure DevOps (Service) such feature does not exist. yiu may be able to leverage an Axure Pipeline here.

For GitHub you could create a GitHub action workflow that blocks a pull request in case it contains unsigned commits or commits where the committer doesn't match the pusher.