Keeper Security has a new idea to help prevent supply chain attacks
Keeper Security has launched a new open source project that it hopes will help protect against supply chain attacks.
Secure Shell (SSH) keys can now be used to sign git commits to verify that the software is genuine. Git commits are used to track changes to the code, with short descriptions of the current changes.
The password manager and secrets management company have partnered with The Migus Group to offer this open source method for signing commits with SSH keys stored in the user’s Keeper Vault.
Easier and safer
Git commits are considered important in helping secure the software supply chain, and it is recommended that all developers sign them to indicate the integrity of their software.
Offering developers a way to sign them with SSH keys, which are stored encrypted in the cloud, means they no longer have to store them on disk. Keeper says: “(increases) security and (streamlines) DevOps workflows.”
It also said that signing git commits with SSH keys provides “cryptographic proof of authorship” and lets others know that the code has not been tampered with, thus securing the supply chain.
The digital signature can also be used as part of a Software Bill of Materials (SBOM) to indicate that an item in the SBOM is trusted.
The SSH keys are stored in the Keeper Secrets Manager (KSM), which is cloud-based and uses a zero-knowledge architecture. It also complies with ISO 27001 and SOC 2, as well as FedRAMP and StateRAMP Authorization, among others.
Keeper Security CTO Craig Lurey believes this new implementation is unique in its “layer of protection and ease of use,” adding that “our integration allows developers to validate the software code with a cryptographic digital signature and transparent logging, eliminating some historic seen, a complex process has been turned into a simple process.”
Adam Migus, CEO of The Migus Group, also said: “we thought working with (Keeper Security) to make the git commit signing process both more secure and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their safe.”