A new open source project allows software developers and DevOPs to digitally sign Git commits easily and securely. A Git commit is a version control system that tracks changes in software projects.
A Git commit is a snapshot that captures changes at a specific point in time, accompanied by a short report describing the adjustments. Keeper and The Migus Group developers are collaborating to develop an open source solution for signing Git commits with SSH keys stored in a user's Keeper Vault. The integration provides developers with a secure and encrypted repository for their SSH keys and eliminates the practice of storing them on disk, both increasing security and improving DevOps workflows.
Signed Git commits confirm authorship
The increase in software supply chain attacks highlights the need for organizations to prioritize security. Signing Git commits is a recommended best practice for developers to confirm the authenticity and integrity of code releases. When developers sign commits with SSH keys, they receive cryptographic proof of authorship, which helps ensure supply chain security by assuring users that the software came from a legitimate source and has remained unchanged since it was signed. Digital signatures can also be incorporated into a Software Bill of Materials (SBOM) to indicate whether a position in the SBOM is trustworthy based on the status of the code signature.
A complex process becomes simpler
“The ability to store SSH keys and other credentials in Keeper Vault provides a level of protection and ease of use not previously available,” said Craig Lurey, CTO and co-founder of Keeper Security. “Our integration allows developers to validate software code with a cryptographic digital signature and transparent logging, turning a previously complex process into a simple one. In the future, all code will be signed and the software supply chain will have a single, valid source, reducing supply chain attacks.”
“Our customers ask us for help to protect themselves from attacks on their supply chain, and we have already been working on this, often using Keeper,” says Adam Migus, founder and CEO of The Migus Group. “Therefore, we believe that working with Keeper to make the Git commit signing process both more secure and simpler is a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vault. But the broader community also receives an example of secure commit signing with the benefits of central key management.”
Cloud-based zero-knowledge platform secures infrastructure secrets
The SSH keys for signing commits are backed up in Keeper Secrets Manager KSM. KSM is a fully managed, cloud-based, zero-knowledge platform for securing infrastructure secrets such as API keys, database passwords, SSH keys, certificates and any type of sensitive data. KSM eliminates secret proliferation by removing hard-coded credentials from source code, configuration files, and CI/CD systems. Keeper's solution was recognized as one of the leading providers in the 2023 KuppingerCole Leadership Compass for Secrets Management. KSM supports Windows, MacOS and Linux. The solution leverages a zero-knowledge security architecture and is highly secure with ISO 27001 and SOC 2 compliance, as well as FedRAMP and StateRAMP authorization, among numerous other certifications.
Keeper's integration supports government and industry efforts to provide greater security and transparency to the open source community. Easily providing a cryptographic digital signature allows developers to verify that the software they are using is exactly what it claims to be, increasing security for developers and end users alike.
More at KeeperSecurity.com
About Keeper Security Keeper Security is changing the way people and organizations around the world protect their passwords, secrets and sensitive information. Keeper's easy-to-use cybersecurity platform is built on the foundation of zero-trust, zero-knowledge security to protect every user and every device.