attestation
gitsign
attestation | gitsign | |
---|---|---|
3 | 10 | |
202 | 908 | |
7.4% | 1.0% | |
8.6 | 9.1 | |
4 days ago | 5 days ago | |
Go | Go | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
attestation
-
Gittuf – a security layer for Git using some concepts introduced by TUF
It's multi-pronged and I imagine adopters may use a subset of features. Broadly, I think folks are going to be interested in a) branch/tag/reference protection rules, b) file protection rules (monorepo or otherwise, though monorepos do pose a very apt usecase for gittuf), and c) general key management for those who primarily care about Git signing.
For those who care about a and b, I think the work we want to do to support [in-toto attestations](https://github.com/in-toto/attestation) for [SLSA's upcoming source track](https://github.com/slsa-framework/slsa/issues/956) could be very interesting as well.
- NPM Provenance Public Beta
-
There is no “software supply chain”
I have. I actually worked a few desks down from dpc when he was creating it and we talked about it at length. I felt then and now that it has good goals but a very limiting implementation in that it does not pursue a portable spec and instead anchors a very opinionated format to git, and github, instead of cryptographic keys held in hardware owned controlled by reviewers. I want to see the same keys that sign git commits also sign reviews, for instance.
I think for broad adoption a review system should ask essentially the same questions as crev, but store them in a format like in-toto including signatures by the reviewers created with a user choice of pgp smartcards, ssh keys, or webauthn devices. These reviews would be anchored to hashes of a particular state of a particular tree of code and not to any type of VCS or distribution system. Important code is distributed via Perforce, mercurial subversion, and tar files depending if we are talking about big corps, or linux distro building blocks. A good OSS review system should be also be usable by teams in their internal proprietary codebases too if we wish to see wide adoption. Even for OSS we may wish to share some reviews as standalone objects privately while security embargos are in place, etc. Proofs should also be verified standalone easily from local cache, when github is down, when original repos vanish, etc.
Something that meets these broader needs will make it easy for large orgs with very different internal setups to participate and play nice with other supply chain efforts by the OpenSSF using in-toto for reproducible builds, etc.
My experience tells me we need something much more ambitious than crev, but crev proved to me many people have real interest in this problem which I really thank dpc for.
The biggest blocker for starting this project is the human review spec settling in in-toto https://github.com/in-toto/attestation/issues/77
gitsign
-
Gittuf – a security layer for Git using some concepts introduced by TUF
> does it also filter/escape ANSI Sequences in messages and author names?
Not at present! Do you have a link or so I could use to familiarize myself? I'm curious if it'd fall within gittuf's scope.
> does it block garbage collection?
Nope, it doesn't. That said, the repository will have more objects, gittuf tracks additional objects through custom refs in `refs/gittuf/`.
> how do you ensure that the developers are really the developers and there's no spoofing?
At present, gittuf policies use signing keys. It doesn't rely on the commit metadata for author and committer but rather the commit's signature. We support GPG and Sigstore's gitsign [0] right now, and we want to support other signing mechanisms like SSH keys as well.
[0] https://github.com/sigstore/gitsign
-
Signing Git Commits with Your SSH Key
You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.
(disclosure: I'm a maintainer for gitsign)
-
A toolbox for a secure software supply chain
Def check out the gitsign project mentioned in the post: https://github.com/sigstore/gitsign
-
Enable Gitsign Today and Start Signing your Commits
Gitsign offers a keyless commit signing implementation based on OIDC, which is an identity layer built on top of the OAuth 2.0 framework. Gitsign supports verifying your identity either through GitHub, Microsoft, or a Google account.
-
SSH commit verification now supported
Shameless plug for the gitsign project in sigstore: https://github.com/sigstore/gitsign
This isn't supported by GitHub yet but we're hopefully working towards that too.
- sigstore/gitsign: Keyless Git signing using Sigstore
- Keyless Git signing with Sigstore!
-
Gitsign
We used to actually run an RFC3161 timestamp server in addition to the transparency log but recently turned it down because no one was using it. I'd like to bring it back for stuff like this.
https://github.com/sigstore/gitsign/issues/22
What are some alternatives?
malicious-software-packages-dataset - An open-source dataset of malicious software packages found in the wild, 100% vetted by humans.
smimesign - An S/MIME signing utility for use with Git
root-signing
git-ts - Git TimeStamp Utility
dsse - A specification for signing methods and formats used by Secure Systems Lab projects.
github - Just a place to track issues and feature requests that I have for github
gittuf - A security layer for Git repositories
SignTools - ✒ A free, self-hosted platform to sideload iOS apps without a computer
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
community - Public feedback discussions for: GitHub Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
fulcio - Sigstore OIDC PKI
cargo-vet - supply-chain security for Rust