27 replies

RoyalOughtness - one suggestion for repos acros...

one suggestion for repos across the ublue github org: requiring signed commits in branch policies

RoyalOughtnessOP•7/12/24, 7:13 PM

most commits are verified/signed already, but mandating this for all primary branches is a good defense against supply chain attacks

j0rge•7/12/24, 7:19 PM

https://github.com/orgs/ublue-os/projects/1?pane=issue&itemId=61240671

j0rge•7/12/24, 7:19 PM

this'll be covered under the minder stuff

Jj0rge this'll be covered under the minder stuff

RoyalOughtnessOP•7/12/24, 7:23 PM

even better

j0rge•7/12/24, 7:23 PM

yeah that'll cover everything and will autocorrect missettings too

Jj0rge yeah that'll cover everything and will autocorrect missettings too

RoyalOughtnessOP•7/12/24, 7:23 PM

it integrates with github apis to set stuff like mandating signed commits?

j0rge•7/12/24, 7:24 PM

we can enforce any github setting

RoyalOughtnessOP•7/12/24, 7:24 PM

that's great

j0rge•7/12/24, 7:24 PM

like right now if we set up a new repo we gotta go and set up all the shit

RoyalOughtnessOP•7/12/24, 7:24 PM

i'll be looking into this for my projects

j0rge•7/12/24, 7:24 PM

they run a service, fully OSS

j0rge•7/12/24, 7:24 PM

https://github.com/stacklok/minder

GitHub

GitHub - stacklok/minder: Software Supply Chain Security Platform

Software Supply Chain Security Platform. Contribute to stacklok/minder development by creating an account on GitHub.

j0rge•7/12/24, 7:24 PM

or run it yourself

RoyalOughtnessOP•7/12/24, 7:25 PM

im assuming they don't require standing access?

RoyalOughtnessOP•7/12/24, 7:25 PM

since that would be

RoyalOughtnessOP•7/12/24, 7:25 PM

i'll look into it more later

j0rge•7/12/24, 7:25 PM

I haven't had a chance to dig into it, hence the placeholder ticket, heh

RoyalOughtnessOP•7/12/24, 7:25 PM

ideally they'd be using OBO tokens or something like that

RoyalOughtnessOP•7/12/24, 7:26 PM

where all authn/z is handled by github itself

HikariKnight•7/12/24, 9:03 PM

I have noticed signing commits is unreliable for me on GitHub. Seems like some get signed others don't

(obviously web edits always get signed)

M2•7/12/24, 9:11 PM

webedit is the only thing that get verified sign commits for me

HHikariKnight I have noticed signing commits is unreliable for me on GitHub. Seems like some g...

RoyalOughtnessOP•7/12/24, 11:03 PM

there's a config you have to set locally for git to make it so that git commitgit commit automatically signs them

RoyalOughtnessOP•7/12/24, 11:04 PM

https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key

GitHub Docs

Telling Git about your signing key - GitHub Docs

RoyalOughtnessOP•7/12/24, 11:04 PM

@M2 @HikariKnight

RoyalOughtnessOP•7/12/24, 11:04 PM

assuming you already have a GPG key

RRoyalOughtness assuming you already have a GPG key

HikariKnight•7/12/24, 11:22 PM

Yup but also I think my gpg key expires soon as I made it many many years ago

M2•7/12/24, 11:39 PM

It works on my work code base...

HikariKnight•7/13/24, 12:43 AM

For me the signing is a DND dice roll

RoyalOughtness - one suggestion for repos acros...

Similar Threads

Similar Threads

Similar Threads