HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wlynch

no profile record

Submissions

What the Fork: Imposter Commits in GitHub Actions and CI/CD

chainguard.dev
11 points·by wlynch·3 jaar geleden·0 comments

Introducing Gitsign – Keyless Git commit signing with Sigstore

blog.sigstore.dev
14 points·by wlynch·4 jaar geleden·0 comments

comments

wlynch
·4 jaar geleden·discuss
You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.

(disclosure: I'm a maintainer for gitsign)
wlynch
·4 jaar geleden·discuss
+1 to this!

https://docs.sigstore.dev/fulcio/certificate-issuing-overvie... has a good overview of how the certificate issuing works.

With Gitsign, by default a new keypair is generated per signing event (i.e. per commit) and never hits disk. The cert in the commit signature holds the public key, which we can check against Rekor (https://docs.sigstore.dev/rekor/overview) to verify it was valid at the time of signing.

If you have the time, https://www.youtube.com/watch?v=PVhRQFS9Njg is a great deep dive into how Sigstore works in general!
wlynch
·4 jaar geleden·discuss
Worth calling out that gitsign works with any Git host for the commit signatures / verification!

The main piece that's platform specific is the Verified badges that you see in the UI + any CI checks.
wlynch
·4 jaar geleden·discuss
You can find the feature request for supporting keyless sigstore/gitsign at https://gitlab.com/gitlab-org/gitlab/-/issues/364428
wlynch
·4 jaar geleden·discuss
Balancing privacy vs transparency is definitely something that's tricky! You may be interested in https://blog.sigstore.dev/privacy-in-sigstore-57cac15af0d0 which goes into some of the background of why email addresses are used and some of the things we're thinking about in this area for Sigstore.

Disclosure: I'm the creator of gitsign and wrote this blog post.