open-source-programs icon indicating copy to clipboard operation
open-source-programs copied to clipboard
verified publisher icon TBD54566975

Use Signed Git Commits and Releases

Open ALRubinger opened this issue 2 years ago • 1 comments

Using signed commits and releases is crucial for supply chain security because it provides verifiable assurance that the code or release originates from a trusted source and has not been tampered with during transit. This cryptographic validation prevents malicious actors from introducing unauthorized changes or counterfeit software into the supply chain. In essence, signing serves as a digital "seal of authenticity" for software components, bolstering trust and integrity throughout the development and distribution process.

This is achieved through settings on the GitHub repositories. Determine the effective set of settings, and implement them across projects.

ALRubinger avatar Dec 05 '23 05:12 ALRubinger

Not yet started in earnest. Some intro calls and backing thoughts as detailed in internal Supply Chain doc.

ALRubinger avatar Dec 05 '23 05:12 ALRubinger

We'll drop this in favor of release signing, which we have and have plans to improve

ALRubinger avatar May 17 '24 19:05 ALRubinger