By Aditya Sirish A Yelgundhalli and Justin Cappos, NYU.
We’re pleased to announce that gittuf, a security layer for Git repositories, has joined the OpenSSF as a sandbox project. The project is housed under the Supply Chain Integrity Working Group.
What does gittuf do?
Git is the most popular version control system used today. Out of the box, Git provides some features related to security such as its use of cryptographic hashes in its object store, and the ability to sign commits, tags, and pushes. However, Git does not support policies. This means that it isn’t possible to stop people from reading or writing to parts of a software repository. Similarly, Git also does not tell which developers keys should be trusted for a commit or tag signatures in a repository.
gittuf fills these gaps by implementing support for secure key management and granular access control mechanisms, using some semantics from The Update Framework (TUF). Today, gittuf allows for associating trusted keys using Sigstore identities for developers that use gitsign, so developers can sign their Git commits using a “keyless workflow” built on OIDC authentication. Git’s default signing method, GPG, is also supported, as are SSH keys. Enforcement of policies is distributed, which naturally makes them open and verified closer to the developer. gittuf also implements protections against “reference state attacks”, a class of attacks against Git repositories detailed in academic research.
In addition to these features, we plan to support flexibility in the cryptographic algorithms used. Also, we plan to have gittuf integrate with in-toto so as to support SLSA source track attestations. We also plan to add support for restricting read access to files and branches in a Git repository. Finally, all of the functionality of gittuf is backwards compatible with existing repositories and tools, making it easy to incrementally adopt.
Who are we?
gittuf is developed and maintained by a variety of folks from industry and academia. All of us have helped develop other open source projects in the software supply chain security such as in-toto, TUF, Tekton (and Tekton Chains) and Sigstore. We have also contributed to various efforts at the OpenSSF and the Cloud Native Computing Foundation (CNCF) such as SLSA, software supply chain security white papers, and working groups in both foundations focused on these problems.
Get Involved
gittuf recently reached the alpha stage, and is under active development. The code is all available under the open source Apache 2.0 license. As such, there are a number of ways for contributors to get involved, like code contributions on the project repository as well as updates to gittuf’s design.
We’re also actively seeking details on the different workflows developers use Git for, so that we can make gittuf as easy to adopt and use as possible. Feel free to take a look at the issue tracker, gittuf’s roadmap, play with the demo, meet with the community in our monthly meeting (first Friday of every month at 12 PM eastern time), and come say hello on the #gittuf channel in the OpenSSF Slack workspace. We look forward to working with you!
About the Author(s)
Aditya Sirish A Yelgundhalli is a Ph.D. candidate at NYU’s Secure Systems Lab where he researches software supply chain security. He’s one of the maintainers of in-toto, a contributor to TUF, and he participates in other supply chain security related efforts at the CNCF and OpenSSF.
Justin Cappos is a professor at NYU Tandon School of Engineering who has been working on software supply chain security for more than 20 years. He is a maintainer/creator of the TUF, Uptane, and in-toto projects, which are all under the Linux Foundation.