Techly NewsGet the app

Get the latest tech news

Commit signing in 2023 is kinda wack


Complexities and practical challenges of git commit signing in 2023, highlighting alternatives and future possibilities in code security.

Part of the Sigstore project(“backed by the Open Source Security Foundation/OpenSSF under the Linux Foundation, with contributions from Google, Red Hat, Chainguard, GitHub and Purdue University”), Gitsign allows software engineers to “sign git commits with an OpenID Connect identity” and embed these signing details into “the transparency log Rekor for subsequent verification”. We’re warned this didn’t “verify cert claims”: since we don’t tell git-verify-commit which identity to expect, Gitsign is only able to ensure the signature is plausibly valid & included in the transparency log ( Rekor, thus the tlog index mentions we’ve seen so far). Several contributors to Sigstore have noted concerns with OpenPubkey’s proposed model[ 7, 8], notably towards privacy (unexpected OIDC claims being included in the certificate, like name), expiration times being implicit, and ability to verify signatures in the long-term.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of kinda wack

kinda wack

Photo of Commit signing

Commit signing

« Apple Aims to Build Most iPhones for US in India by End-2026
What If We Could Rebuild Kafka from Scratch? »