Protect The Software Supply Chain With Gitsign
Written by Nikos Vaggalis   
Monday, 18 July 2022
Sigstore and the Linux Foundation have taken another step toward securing the software supply chain, this time focusing on the initial stage of the chain. That is, the signing of Git commits.



Supply chain security is all the rage right now and the Linux Foundation's answer to it came through Sigstore:

Understanding and confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks.

Users generate ephemeral short-lived cryptography keys with the sigstore client tooling and use the keys to sign software.A sigstore PKI service will provide an X.509 signing certificate generated upon a successful OpenID connect grant. All certificates are then recorded into a certificate transparency log and software signing materials are sent to a signature transparency log.

Signing every component along the chain would prove its authenticity. That's what Sigstore does by empowering software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.

Since everybody is on Git, what better way of starting with signing the initial artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries,there was nothing for signing git commits.This is about to change with Gitsign, which allows you to sign your commits in a keyless fashion by using your GitHub / OIDC identity. Not only does this relieve you of the burden of managing the keys yourself, it also deal with the issue of those keys many times ending up being written inside the source of the repo itself, in effect canceling out the signing process.

So now when signing commits as usual with git commit -S your browser will now redirect through the Sigstore's Keyless flow to authenticate and sign the commit. I say as 'usual' since GitHub was already offering signing commits with SSH keys and x509 certificates bearing the cost of the keys' management. Gitsign now removes this need.

To install it, we can use 'go' which makes the process as is easy as:

 $ go install

After that we have to configure the tool per repository with:

$ cd /path/to/my/repository
$ git config --global gpg.format x509 # Use Gitsign for signing
$ git config --global gpg.x509.program gitsign
$ git config --global commit.gpgsign true # Sign all commits

Then when about to sign a commit, just fire:

git commit --allow-empty --message="Signed commit"

intuitive enough.

The commits can then be verified using git verify-commit since they've been added to the Rekor transparency log (a transparency log for recording supply chain metadata) which ensures that signatures can be verified even after the certificate has expired.

In essence tagging, tracking history and preventing tampering is a spot on case for utilizing the blockchain. But this idea was rejected for the transparency log on the grounds that:

  • Public blockchains, with all the best of intentions, often end up using a centralized entry point for canonicalization, auth etc.

  • Consensus algorithms can be susceptible to majority attacks.

  • Transparency logs are more mature in this space at present and they are capable of providing exactly what we need.

Further instructions and configuration options, such as the environmental variables supported, can be found on its official repo.

At about the same time of Gitsign's release, a handy python based utility with similar notion emerged.This is sigstore-python which is a tool for signing and verifying Python package distributions. Its usable but still in the early stages considering the warning in big letters on the repo's front page:

This project is not ready for general-purpose use!

That is not the case for GitSign though. You can use it as of right now!



More Information


Related Articles

Does Sigstore Really Secure The Supply Chain?

The State Of Secure Software Development - Three OpenSSF Courses

GitHub Skills - A Better Way to Learn Git and GitHub



To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Run WebAssembly Components Inside Node.js With Jco

Jco 1.0 has been just announced by the Bytecode Alliance.It's a native JavaScript WebAssembly toolchain and runtime that runs Wasm components inside Node.js. Why is that useful?

The WinterJS Javascript Runtime Is Asking For Your Attention

WinterJS is a brand new Javascript runtime by Wasmer which comes with the claim that it's the fastest of them all. Let's find out if that holds true.

More News

raspberry pi books



or email your comment to:

Last Updated ( Monday, 18 July 2022 )