go-tuf
gittuf
go-tuf | gittuf | |
---|---|---|
1 | 2 | |
602 | 397 | |
1.5% | 21.2% | |
8.9 | 9.6 | |
13 days ago | 3 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
go-tuf
-
cocert: split and distribute your private keys securely amongst untrusted network
That's right. You should also check go-tuf which has support for multiple keys and thresholds instead of splitting. In the current implementation, getting all shared keys back to combine the original key still could be a security issue. In this PoC, we assumed all environments are end-to-end secure and fine-tuned.
gittuf
-
Git Branches: Intuition and Reality
It actually does but it's very much in alpha/active development (under the umbrella of OpenSSF with the intent of being integrated into mainline git eventually).
https://github.com/gittuf/gittuf
-
Gittuf – a security layer for Git using some concepts introduced by TUF
Hey Will, thanks!
The paper is from quite a few years ago now and the reference is for a subset of gittuf's threat model, specifically the metadata manipulation / reference state attacks. The paper talks about MITM as one way to carry out a ref state attack, but if you're communicating with a compromised repository, you can be a victim of such an attack even if you're using authenticated transport and using signed commits / tags that you have a way of verifying.
We do have a threat model for gittuf that we've been meaning to add [0] to the design doc. I'll try and get that done today. It should probably be in there before we tag our alpha release. :)
[0] https://github.com/gittuf/gittuf/issues/95
What are some alternatives?
cocert - Split and distribute your private keys securely amongst untrusted network
gitsign - Keyless Git signing using Sigstore
cas - Codenotary Community Attestation Service (CAS) for notarization and authentication of digital artifacts
attestation - in-toto Attestation Framework
Caddy - Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
build-extra - Additional files and scripts to help build Git for Windows on MSYS2.
horcrux - Split your file into encrypted fragments so that you don't need to remember a passcode
git-secret - :busts_in_silhouette: A bash-tool to store your private data inside a git repository.
example
slsa - Supply-chain Levels for Software Artifacts
trdl - The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.
wasm-to-oci - Use OCI registries to distribute Wasm modules