@therealpires @mattomata@lorenc_dan GitHub API signing uses a single shared key for all users, so they need to double check the commit to make sure they're signing on behalf of the right user.
Gitsign includes a unique cert bound to the user OIDC token, so it doesn't need to do this matching.
@therealpires @mattomata@lorenc_dan Nope!
Gitsign doesn't enforce commit emails to match. Sometimes we want to sign with identities that don't have an email (i.e. CI runners).
While matchCommitter exists, it's a convenience to use the right account - it doesn't have any weight on verification.
gittuf, a security layer for Git repositories, has joined the OpenSSF as a sandbox project housed under the Supply Chain Integrity Working Group. 🎉
gittuf stands out by implementing an array of features dedicated to enhancing security. Learn more today: https://t.co/6ndx4MbIGv
@adityasaky@jacques_chester@decodebytes Like @adityasaky said, `gitsign attest` can store detached signatures/attestations on commits without modifying the original SHA, but it does this by storing data in a different ref space, which means things like remote branch operations won't include signatures by default. 🤷♂️
@adityasaky@jacques_chester@decodebytes General +1 to this!
The gitsign signature format CAN support multiple signatures (the underlying format is PKCS7), but practically it's not really useful because it will cause the SHA to change, so the gitsign tool doesn't bother to support it at the moment.
The future of security looks bright, you don't even need a key 🚫🔑
We partnered with @projectsigstore to help you move away from traditional keys to keyless signing. Learn how to do this by adding just a few lines in a yml file: https://t.co/LV28slTV48
Securing your source code just got simpler.
Today, @chainguard_dev announced Enforce for @github - a GitHub App for public repositories that lets you define & enforce policy for @projectsigstore -based Git signatures.
https://t.co/T40hjjiqMp
Dive into the world of code signing and supply chain security with Billy Lynch from @chainguard_dev
With years of experience at Google, Billy brings unique insights into securing our digital ecosystems.
Don't miss this episode: https://t.co/ceC6todKYX
#SupplyChainSecurity
Do you know about GitSign yet from sigstore and Chainguard???
We sat down with @wflynch for an episode of the Securty Repo podcast to talk about this and some other areas of supply chain security.
Check it out
https://t.co/QCsTFz72Im
or
https://t.co/aVDbozfqAL
🆕 Chainguard Academy is live 💜
📗OSS: SLSA, SBOMs, Wolfi, apko, melange, sigstore, etc
📙Edu: glossary, recommendations & more
📘PDocs: Images, Enforce, chainctl
🔗https://t.co/Swv54UL6BA
🟣Software Self-Attestation With @lorenc_dan: Industry Perspectives Feat. CRob
🟣Learn everything you need to know about SSDF and CISA's Software Self-Attestation Form!
Tomorrow 👇
https://t.co/zupF8coBuc
📝 Billy Lynch from @chainguard_dev challenged us to rethink our trust in signed commits in git.
Through his session on Gitsign, he explored why and how we need to ensure the integrity of our code in the face of escalating supply chain security issues. 5/7
Starting random gratitude shoutouts to the amazing people who are dedicated to OSS 🐙
First up, @puerco, who is the sBOM 💣 &
🦸♂️saves the world from drowning in CVE false positives w OpenVEX
🫶 has a heart of gold
We appreciate you! 💜
📝“Being able to sign artifacts without needing to worry about keys goes a long way to help developers secure their supply chains without needing to worry about the complexities of key management”. @wflynch
https://t.co/l8rSOqhBSD
🎙️ #cdCon + #GitOpsCon Talk 🎙️
Identity-based Source Integrity with Gitsign by @wflynch from @Chainguard_dev
Tuesday, May 9 at 4:30pm PDT
Add to your schedule here: https://t.co/lr7GueaACc