Git hardly forgets

Ombu Labs, January 2016

The Problem

$ echo "secret data" > id_rsa

$ git add id_rsa

$ git commit -m "bad commit"

$ git rm id_rsa

$ git show d6ec68dd6ec68d - bad commitdiff --git a/id_rsa b/id_rsasecret data

The Data remains

$ git filter-branch --tree-filter 'rm -f id_rsa' HEADRewrite f5741346a28c65097b2a4e1ac9d9f31ca99ce43e (4/4)Ref 'refs/heads/master' was rewritten

$ git log0849436 - (HEAD -> master) remove id_rsa file1ec887c - another file7108ca8 - bad commit474db38 - initial commit

$ git show 7108ca87108ca8 - bad commit

Rewrite the history

$ git show d6ec68dd6ec68d - bad commitsecret data

Rewrite the history

Seems that the history still exists …

$ git push

$ git clone git@github.com:git-demo.git

$ git show d6ec68dfatal: ambiguous argument 'd6ec68d': unknown revision or path not in the working tree.

Local vs Remote

$ git filter-branch --tree-filter 'git ls-files -z "*.rb" | xargs -0 perl -p -i -e "s#(12345)#REMOVED#g"' -- --allRewrite 051fdf0ac67128a918dd703e26df5737cf6f39da (8/8)...Ref 'refs/remotes/origin/awesome-feature' was rewrittenRef 'refs/remotes/origin/master' was rewritten

$ git gc --aggressive —prune$ git push -f

Filter Passwords

$ git logbba8283 - replace api key with env var7152c92 - add api key to demo.rb

$ git show 7152c927152c92 - add api key to demo.rb

+API_KEY=REMOVED

The Result

Safest Solution

• change all current Keys & Passwords

• rm -rf .git/

Thank you!

Questions?