search

loopbackio / security

[WORK IN PROGRESS] A centralised repository for all security-related matters on the LoopBack Project.
MIT License
4 stars 1 forks source link

Enforce opt-in signed Git Commits and Tags #18

Open achrinza opened 2 years ago

achrinza commented 2 years ago

Currently, we do not enforce PGP-signed Git Commits or Tags. This means that those who expect their contributions to be PGP-signed cannot enforce this policy across the loopbackio Git Repositories. Instead, each Pull Request would need to be manually reviewed for the respective Git Commits and Git Signatures.

This poses a potential security risk as:

  1. It is error-prone (e.g. Maintainers forget to check for verified Git Commits and Git Tags)
  2. The lifecycle of the PGP Keys is not clearly tracked To add or remove verified PGP Keys from a GitHub account does not require any publicly-visible evaluation or acknowledgement from other LoopBack Maintianers.

GitHub does provide a mechanism to enforce signed Git Commits and Tags. However:

  1. This does not work for the rebase and merge workflow, which we leverage (i.e. the GitHub check mechanism does not pass). Exact reasons are unclear since the resulting Git Commits and Git Tags still have a valid PGP Signature.
  2. It can only be enforced for everyone or no one The LoopBack Project is a general open-source project, hence enforcing signed commits for every contributor would significantly raise the contribution barrier. Furthermore, this does not solve the problem of managing the PGP Keys' lifecycle in an open and transparent manner.

To combat this issue, LoopBack Maintainers who want to enforce valid, PGP-signed Git Commits and Git Tags should publish their PGP Public Key in this Git Repository, which will then be leveraged by a shared GitHub Action Workflow across the loopbackio Git Repositories to enforce this policy.

This issue is to track:

achrinza commented 2 years ago

A potential (though not yet tested) alternative is to leverage the Sigstore project, which provides a suite of tools, a free x.509 certificate authority, and a certificate transparency log,

It claims to provide the following benefits:

  1. Ephemeral, short-lived certificates to reduce the impact of a compromised private key
  2. OpenID Connect (OIDC)-based authentication with OIDC providers such as GitHub, Microsoft, etc. to authenticate the user before issuance of short-lived certificate
  3. Support for hardware tokens (e.g. YubiKey) via the Personal Identity Verification (PIV) card interface (Need to confirm this)
  4. Provides a transparency log instance for auditability
  5. Can be used to sign Git commits and tags (see Gitsign)