Keeper Security has recently announced a new open-source project that aims to make it easier and more secure for software developers and DevOps professionals to sign git commits with their Keeper vault. This integration with Keeper Secrets Manager (KSM) allows users to utilize Secure Shell (SSH) keys stored in their Keeper Vault to digitally sign commits and ensure the authenticity of their code.
Git is a widely used version control system that helps track changes in software projects, while a git commit is a snapshot of these changes at a specific point in time, accompanied by a brief description of the modifications made. To address the need for increased security and streamlined workflows, Keeper Security collaborated with The Migus Group to develop an open-source solution for signing git commits using SSH keys stored in a user’s Keeper Vault. This integration provides developers with a secure and encrypted repository for their SSH keys, eliminating the need to store them on disk.
Craig Lurey, CTO and Co-founder of Keeper Security, emphasized the added layer of protection and ease-of-use offered by storing SSH keys and other credentials in Keeper Vault. He mentioned that the integration enables developers to validate software code with a cryptographic digital signature and transparent logging, simplifying a historically complex process. Lurey also expressed his belief that, in the future, all code will be signed, creating a single source of truth that reduces supply chain attacks.
The rise in software supply chain attacks has underscored the importance of prioritizing security in the software supply chain. Signing git commits is considered a best practice for developers to verify the authenticity and integrity of code releases. When developers sign commits with SSH keys, they receive cryptographic proof of authorship, creating additional security measures for the supply chain by assuring users that the software originated from a legitimate source and has not been altered since its signing. Furthermore, digital signatures can be incorporated into a Software Bill of Materials (SBOM) to indicate the trustworthiness of each line-item, based on its code signature status.
Adam Migus, Founder and CEO of The Migus Group, explained that their customers were seeking protection against supply chain attacks, and they were already working on solutions using Keeper. Collaborating with Keeper to make the git commit-signing process both safer and easier was seen as a win-win proposition. With this new integration, customers can seamlessly sign commits with keys that never leave their vaults, while the broader community benefits from a secure commit signing process and centralized key management.
The SSH keys for signing commits are securely stored in KSM, a fully managed cloud-based platform designed to secure infrastructure secrets. KSM eliminates secrets sprawl by removing hard-coded credentials from source code, config files, and CI/CD systems. The platform has been named an overall leader in the 2023 KuppingerCole Leadership Compass for Secrets Management. KSM is supported on Windows, MacOS, and Linux and incorporates a zero-knowledge security architecture. It is highly secure, with ISO 27001 and SOC 2 compliance, as well as FedRAMP and StateRAMP Authorization, among other certifications.
Overall, Keeper Security’s new open-source project offers developers and DevOps professionals a more secure and streamlined approach to signing git commits. By utilizing the capabilities of Keeper Secrets Manager and the encryption provided by Keeper Vault, individuals can authenticate their code and safeguard against potential supply chain attacks. This initiative not only benefits Keeper Security’s customers but also contributes to the broader software development community’s understanding of secure commit signing and the advantages of centralized key management.