gitsign
opentimestamps-client
gitsign | opentimestamps-client | |
---|---|---|
10 | 2 | |
899 | 283 | |
0.7% | 0.0% | |
9.1 | 2.6 | |
3 days ago | about 2 months ago | |
Go | Python | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gitsign
-
Gittuf – a security layer for Git using some concepts introduced by TUF
> does it also filter/escape ANSI Sequences in messages and author names?
Not at present! Do you have a link or so I could use to familiarize myself? I'm curious if it'd fall within gittuf's scope.
> does it block garbage collection?
Nope, it doesn't. That said, the repository will have more objects, gittuf tracks additional objects through custom refs in `refs/gittuf/`.
> how do you ensure that the developers are really the developers and there's no spoofing?
At present, gittuf policies use signing keys. It doesn't rely on the commit metadata for author and committer but rather the commit's signature. We support GPG and Sigstore's gitsign [0] right now, and we want to support other signing mechanisms like SSH keys as well.
[0] https://github.com/sigstore/gitsign
-
Signing Git Commits with Your SSH Key
You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.
(disclosure: I'm a maintainer for gitsign)
-
A toolbox for a secure software supply chain
Def check out the gitsign project mentioned in the post: https://github.com/sigstore/gitsign
-
Enable Gitsign Today and Start Signing your Commits
Gitsign offers a keyless commit signing implementation based on OIDC, which is an identity layer built on top of the OAuth 2.0 framework. Gitsign supports verifying your identity either through GitHub, Microsoft, or a Google account.
-
SSH commit verification now supported
Shameless plug for the gitsign project in sigstore: https://github.com/sigstore/gitsign
This isn't supported by GitHub yet but we're hopefully working towards that too.
- sigstore/gitsign: Keyless Git signing using Sigstore
- Keyless Git signing with Sigstore!
-
Gitsign
We used to actually run an RFC3161 timestamp server in addition to the transparency log but recently turned it down because no one was using it. I'd like to bring it back for stuff like this.
https://github.com/sigstore/gitsign/issues/22
opentimestamps-client
-
📑 MiniBolt resources 📚 List of the MiniBolt core/bonus guides + latest versions
OpenTimeStamp-client v0.7.1 (Released: 26th August 2022) - https://github.com/opentimestamps/opentimestamps-client/releases
-
Signing Git Commits with Your SSH Key
if you sign your commits, you should also consider timestamping your commits. I use OpenTimestamps for this. Docs and some rationale here: https://github.com/opentimestamps/opentimestamps-client/blob...
from the doc:
> My signing keys (e.g. blog or Qubes code signing keys) do not have expiration dates. This is not laziness. There is a fundamental problem with using an expiration date on keys used for code signing (e.g. git tag -s), because it is unclear what the outcome should be when one verifies some old code (written and signed when the key was still valid) in the future when the key has already expired?
> Naturally we would like the old code, written and signed when the key was still valid, to continue to verify fine also in the future, after the key expires (and the developer passed away, perhaps). However, it is very problematic to prevent the attacker from creating falsified code pretending to be an old one.
What are some alternatives?
smimesign - An S/MIME signing utility for use with Git
platform-samples - A public place for all platform sample projects.
git-ts - Git TimeStamp Utility
rebalance-lnd - A script that can be used to balance lightning channels of a lnd node
github - Just a place to track issues and feature requests that I have for github
SignTools - ✒ A free, self-hosted platform to sideload iOS apps without a computer
electrs - An efficient re-implementation of Electrum Server in Rust
community - Public feedback discussions for: GitHub Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
btc-rpc-explorer - Database-free, self-hosted Bitcoin explorer, via RPC to Bitcoin Core.
cargo-vet - supply-chain security for Rust
git-blame-someone-else - Blame someone else for your bad code.