Keeper Security has launched a new open source project that it hopes will help protect against supply chain attacks.
Secure Shell (SSH) keys can now be used to sign git commits to verify that software is genuine. Git commits are are used to keep track of changes to code, with brief descriptions of said changes at the current time.
The password manager and secrets management firm has partnered with The Migus Group to offer this open source method to sign commits with SSH keys that are stored in the user’s Keeper Vault.
Easier and more secure
Git commits are considered important in helping to secure the software supply chain, and it is recommended for all developers to sign them to signal the integrity of their software.
By offering developers a way to sign them with SSH keys, which are stored in the cloud with encryption, it means that they no longer have to store them on disk, which Keeper says, “[increases] security and [streamlines] DevOps workflows.”
It also said that signing git commits with SSH keys provides a “cryptographic proof of authorship,” and lets others know that the code has not been tampered with, thus helping to secure the supply chain.
The digital signature can be used as part of a Software Bill of Materials (SBOM) as well, to show that an item in the SBOM is trusted.
The SSH keys are stored in the Keeper Secrets Manager (KSM), which is cloud-based and uses zero knowledge architecture. It is also compliant with ISO 27001 and SOC 2, as well as FedRAMP and StateRAMP Authorization, among others.
Keeper Security CTO Craig Lurey believes that this new implementation is unique in its “layer of protection and ease-of-use,” adding that, “our integration enables developers to validate the software code with a cryptographic digital signature and transparent logging, making what historically has been a complex process into a simple one.”
Adam Migus, CEO of The Migus Group, also said, “we thought working with [Keeper Security] to make the git commit-signing process both safer and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vaults.”
