1Password is making it easier for GitHub users to set up signed commits using SSH keys. Signed commits verify that the person making the code change is who they say they are.
When code is checked into a git repository, the change is usually saved with the name of the person submitting the code. While the committer’s name is typically set by the user’s client, it can be easily changed to anything else, which makes it possible for someone to spoof the commit messages and names. This can have security implications if developers don’t actually know who submitted a particular piece of code.
The fundamental, unsolved problem underlying all of the cybersecurity problems on the Internet is the lack of good tools to truly authentic a live human being, says John Bambenek, principal threat hunter at Netenrich. Making cryptographic signing, or signed commits, easy allows organizations to have a higher level of assurance about the person’s identity.
“Without this, you are trusting the committer is who they say they are and the person accepting the commit understands and reviews the commit for problems,” he adds.
Bambenek notes that because criminals are going after code in open source libraries in earnest, being able to truly authenticate people pushing code means the window to using their repositories to compromise other organizations is much smaller.
Easier, Scalable Key Management
Michael Skelton, senior director of security operations at Bugcrowd, points out managing SSH and GPG keys for signing commits over multiple developer virtual and host machines can be a cumbersome and confusing process. Previously, developers interested in signed commits managed with key pairs stored in their GitHub accounts and on their local machines.
“This can make mass adoption of signed commits difficult, impairing the ability for your organization to make the most out of this feature,” he says. “By having 1Password manage this on your behalf, you can more easily deploy these keys and update configurations hassle-free.”
Because 1Password stores the SSH keys, it becomes easier, and less confusing, to manage keys over multiple devices. This feature also makes it possible to manage GitHub signing keys for developers in a more scalable fashion, Skelton says.
“By solving this problem, organizations can then look to enforce signed commits over their repositories using GitHub’s vigilant mode, helping to limit the ability for committer names to be misrepresented and in turn misinterpreted,” Skelton says.
With signed commits, it is easier to see when a commit has not been signed. It’s also possible to create an application security policy that rejects unsigned commits.
How to Set Up Signed Commits
Here’s how to set up GitHub to use SSH keys for verification.
- Update to Git 2.34.0 or later, then go to https://github.com/settings/keys and select “new SSH key,” followed by selecting “Signing Key.”
- From there, navigate to the “Key” box and select the 1Password logo, select “Create SSH Key,” fill in a title, and then select “Create and Fill.”
- For the last step, select “Add SSH Key,” and the GitHub part of the process is complete.
Once the key is set up in GitHub, proceed to 1Password on your desktop to configure your .gitconfig file to sign with their SSH key.
- Select the “Configure” option in the banner displayed on top, where a window will open with a snippet you can add to the .gitconfig file.
- Select the “Edit Automatically” option to have 1Password update the .gitconfig file with one click.
- Users in need of more advanced configuration can copy the snippet and do things manually.
A green verification badge for easy verification visibility will then be added to the timeline when you push to GitHub.