Secure Software Supply Chain by Signing Git Commits With Keeper
2 MIN READ Published on
October 18, 2023
Share this blog
Written by Timothy Jester
The modern threat landscape is constantly changing and the software supply chain has become a common target for cybercriminals. Cyber threats have become a headache for overworked developers and DevOps teams as they face tight deadlines, limited staffing resources and the added burden of ensuring that their code does only what it is intended to do and is free of bugs and malware.
What Is a Commit and Why Should You Sign Them?
A ‘commit’ command is used to save a smaller piece of code that is added to an application at a specific time. Committed changes are considered safe versions of the project and must be authorized by the developer to be saved to the repository where it is hosted.
Signing ‘git’ commits is the recommended best practice for developers to confirm the authenticity and integrity of code releases. As developers sign commits with Secure Shell (SSH) keys, they are provided with cryptographic proof of authorship.
This helps support a broader government and industry effort to bring increased security and visibility to the open source community, by enabling developers to validate that the software in use is exactly what it is claiming to be, with a cryptographic digital signature and transparent logging.
By creating the record of trusted code, developers mitigate the risks associated with code releases and establish trust with anyone who might use that code. This traditionally has added complexity to the workflow, but Keeper makes this a seamless process.
Storing SSH Keys in Keeper Secrets Manager
Beyond signing commits, developers also need to secure the key used to sign commits.
Keeper and The Migus Group have teamed up to create an open-source solution to sign commits using the SSH keys stored in your Keeper Vault. Keeper utilizes a zero-knowledge security architecture and is highly secure with certifications (ISO 27001, SOC 2, FedRAMP and StateRAMP) to back it up. Storing these keys in your vault ensures the key cannot be compromised by typical attack vectors.
This integration provides developers with a secure home for their SSH keys and removes the practice of storing them on disk, increasing security and streamlining DevOps workflows.
SSH keys for signing commits are secured in Keeper Secrets Manager (KSM) which is supported on Windows, MacOS and Linux. The source code for this integration can be found on GitHub.
Keeper Secrets Manager is a cloud-based, zero-trust and zero-knowledge solution for securing infrastructure secrets such as database passwords, access keys, certificates, API keys, SSH keys for signing commits and any other type of confidential data.
KSM integrates with all of the leading CI/CD systems and supports any type of machine to protect your infrastructure, no matter how complex. Other KSM features work in tandem with signed code commits to reduce the risk associated with privileged users and privileged credentials.
Eliminate secrets sprawl by removing hard-coded credentials and consolidate secrets in a unified platform with easy reporting for compliance.
Timothy Jester is the Senior Product Marketing Manager for Keeper Security, with more than 10 years of experience in consulting, cloud, security and identity marketing. Timothy now leads product marketing to apply Keeper’s award-winning technology to solve real world problems. Timothy holds a bachelor’s degree in Communication from Kennesaw State University.
Get the latest cybersecurity news and updates sent straight to your inbox
Share this blog
You May Also Like
How to Transition to a Fully Passwordless Environment With Keeper, Passkeys and SSO
Passwordless authentication is a security method that allows a user to gain access to a system without entering a traditional password. Instead, it relies on alternative means of verification, such as biometric data (like fingerprints or...