Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
if you sign your commits, you should also consider timestamping your commits. I use OpenTimestamps for this. Docs and some rationale here: https://github.com/opentimestamps/opentimestamps-client/blob...
from the doc:
> My signing keys (e.g. blog or Qubes code signing keys) do not have expiration dates. This is not laziness. There is a fundamental problem with using an expiration date on keys used for code signing (e.g. git tag -s), because it is unclear what the outcome should be when one verifies some old code (written and signed when the key was still valid) in the future when the key has already expired?
> Naturally we would like the old code, written and signed when the key was still valid, to continue to verify fine also in the future, after the key expires (and the developer passed away, perhaps). However, it is very problematic to prevent the attacker from creating falsified code pretending to be an old one.
Yes, this is incredibly easy to use: https://github.com/FiloSottile/age
> Note that signing commits doesn't bar bad actors from pushing unsigned commits with forged identities.
This would need to be coupled with a "reject unsigned commits" policy on push. For example - https://docs.gitlab.com/ee/user/project/repository/push_rule...
And note that the caveats that it has would require the person to log in to gitlab to not need to push (by using the webIDE instead) which leaves an audit trail there.
Similar functionality can be crafted with a pre-receive commit hook - https://docs.github.com/en/[email protected]/admin/polic...
An example of such a hook - https://github.com/github/platform-samples/blob/master/pre-r...
I believe GitHub's smimesign can use RFC3161 timestamps:
How to specify a timestamp server
https://github.com/github/smimesign/issues/47
You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.
(disclosure: I'm a maintainer for gitsign)