Signing Git Commits with Your SSH Key

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Git Signing Ruby Security opentimestamps

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • opentimestamps-client

    OpenTimestamps client

    • if you sign your commits, you should also consider timestamping your commits. I use OpenTimestamps for this. Docs and some rationale here: https://github.com/opentimestamps/opentimestamps-client/blob...

    from the doc:

    > My signing keys (e.g. blog or Qubes code signing keys) do not have expiration dates. This is not laziness. There is a fundamental problem with using an expiration date on keys used for code signing (e.g. git tag -s), because it is unclear what the outcome should be when one verifies some old code (written and signed when the key was still valid) in the future when the key has already expired?

    > Naturally we would like the old code, written and signed when the key was still valid, to continue to verify fine also in the future, after the key expires (and the developer passed away, perhaps). However, it is very problematic to prevent the attacker from creating falsified code pretending to be an old one.

  • git-blame-someone-else

    Blame someone else for your bad code.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • age

    A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

    • Yes, this is incredibly easy to use: https://github.com/FiloSottile/age

  • platform-samples

    A public place for all platform sample projects.

    • > Note that signing commits doesn't bar bad actors from pushing unsigned commits with forged identities.

    This would need to be coupled with a "reject unsigned commits" policy on push. For example - https://docs.gitlab.com/ee/user/project/repository/push_rule...

    And note that the caveats that it has would require the person to log in to gitlab to not need to push (by using the webIDE instead) which leaves an audit trail there.

    Similar functionality can be crafted with a pre-receive commit hook - https://docs.github.com/en/[email protected]/admin/polic...

    An example of such a hook - https://github.com/github/platform-samples/blob/master/pre-r...

  • smimesign

    An S/MIME signing utility for use with Git

    • I believe GitHub's smimesign can use RFC3161 timestamps:

    How to specify a timestamp server

    https://github.com/github/smimesign/issues/47

  • gitsign

    Keyless Git signing using Sigstore

    • You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.

    (disclosure: I'm a maintainer for gitsign)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts