Commit signing in 2023 is kinda wack
a year ago
- #security
- #git
- #cryptography
- The author discusses their skepticism towards traditional git commit signing methods due to complexity and impracticalities.
- They highlight issues with long-lived cryptographic identities, such as key compromise and loss, and the difficulty of maintaining them.
- The post explores current commit signing options like GPG, SSH, and S/MIME, noting their limitations in revocation and verification.
- Future solutions like Gitsign (part of Sigstore) and OpenPubkey are introduced, focusing on short-lived identities and transparency logs.
- Gitsign uses OpenID Connect for identity verification and embeds signing details in a transparency log, offering a different approach to commit signing.
- OpenPubkey is mentioned as a draft specification that reuses OpenID Connect identities for cryptographic purposes, though it has its own set of challenges.
- The author concludes by stating they don't currently sign commits but are open to adopting Gitsign once it gains wider adoption.
- They emphasize the importance of existing security measures like SSH key restrictions and branch protection rules.