Gitsign: A new way to secure your commits
Sigstore, an organization that helps you to secure your software by signing, verifying and protecting, has introduced a feature called Gitsign that helps you to protect your Git commits ensuring reliability. If you’re new to Gitsign and the importance of Gitsign is yet to be explored by you, then you have come to the right place!
The topics I’ll be covering in my blog today are as follows:
1. Why do we need Gitsign?
2. What is Gitsign?
3. Gitsign Tutorial
4. Limitations
5. Conclusion
Why do we need Gitsign?
If you are a passionate open source contributor who helps people by providing features/applications/code on Github, then you might run into the problem where someone would make fake repositories under your name and will make fake commits just to show that they are legitimate which leads to tricking people to use their repositories and risking the user’s security as the code maybe malicious. This type of attack can come under the wing of typosquatting where the attacker impersonates a site or a project with slight amendments such as misspelled domain name or project names. The chart below shows the increase in the software supply chain attacks.
To avoid this type of attacks, a proposed solution is to sign your commits so later it can be verified that the commits didn’t come from an impersonator. There are several ways to sign your commits such as using:
· GPG (a public key encryption tool used for securing messages)
· SSH keys (a public key protocol to ensure the security of the data)
· S/MIME (a public key encryption mainly used for signing emails)
The problem with the above mentioned tools used to sign commits is that the long-lived keys can be compromised or can be lost. To save the day, here comes Gitsign!
What is Gitsign?
Gitsign is a feature that helps to sign the commits without keys. Yes, you heard it right! It uses the keyless signing concept where keys are generated for a short period of time till signing and they are verified to be valid at the time of signing. The concept of keyless signing in Gitsign is based on the foundations of Open ID Connect which is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. So, Gitsign likes to authenticate using your Github, Google or Microsoft account.
Gitsign Tutorial
Now, we will be setting up gitsign and use it to sign our commits.
Installation of gitsign
We can install gitsign in Fedora and Debian/Ubunutu with the following commands.
For Fedora,
$wget https://github.com/sigstore/gitsign/releases/download/v0.3.0/gitsign_0.3.0_linux_amd64.rpm
$sudo rpm -ivh gitsign_0.3.0_linux_amd64.rpmFor Debian/Ubuntu,
$wget https://github.com/sigstore/gitsign/releases/download/v0.3.0/gitsign_0.3.0_linux_amd64.deb
$sudo dpkg -i gitsign_0.3.0_linux_amd64.debYou can also use Go 1.17+ for installing gitsign,
$go install github.com/sigstore/gitsign@latestIt will result in a binary, with the path at $GOPATH/bin/gitsign.
Setting up Gitsign with Git
The following commands instruct to use gitsign for signing from now on and lets it know which key type to use i.e. x509. These commands will be run just once and will be used for configuration.
$git config gpg.x509.program gitsign
$git config gpg.format x509
$git config commit.gpgsign trueNow whenever you will commit, a new tab on your browser will open. Here you will have to login to sigstore and after that the following message would appear.
Limitations
As Gitsign is fairly new, it has certain limitations and has to be upgraded with time. The biggest limitation is:
· Unavailability of Gitsign verification
The Githib’s trust root has not made sigstore’s Certificate Authority root its part and as it uses short-lived keys along with the standard (i.e. x509), makes it difficult to verify the signature after the keys have expired. To possible solution to this is using Rekor(provides a restful API-based server for validation, and a transparency log for storage) to add the validation layer to the verification, confirming that the key used was valid at the time of signature.
But, GitHub Actions has got you covered by verifying Gitsign! It loops and checks for the commits between the HEAD and git ref, and reports the unverifiable commits with an error.
Conclusion
Thus, in order to protect and secure our open-source work ensuring the credibility, important security measures such as signing our commits are essential part of Software Supply Chain Security and Gitsign is present to contribute for this cause. Kudos to sigstore for introducing Gitsign!