However, Git itself allows for customizing the tools that are used to sign, letting you hook into the Git commit lifecycle to provide custom signing behavior! With this, we were able to write our own tool to bridge this gap to bring Git and Sigstore together. While this approach is still useful for storing additional metadata related to commits, it doesn’t hook into existing Git signature verification flows. Signing this way relied on storing signatures either completely outside the repository or in a different reference space that was not typically used for signing commits and tags. In the early days of Cosign, we imagined what it would look like to sign Git commits with ephemeral keys to give a “keyless” experience, but this wasn’t perfect. That made us think: what if we could apply the same ideas that made Cosign so popular to other tools like Git?
Signing Git commits is not a new concept: Git has supported GPG based signing for years, and more recently has even added support for SSH keys and x509 certificates! However, these approaches suffer from the same problems as container signing as key creation and management makes it hard to get started and adds yet another secret to protect.
#GITHUB ACTIONS STATUS PRO#
Photo by Signature Pro on Unsplash A brief history of Git commit signing
0 kommentar(er)
