Billy Lynch

@therealpires @mattomata @lorenc_dan GitHub API signing uses a single shared key for all users, so they need to double check the commit to make sure they're signing on behalf of the right user. Gitsign includes a unique cert bound to the user OIDC token, so it doesn't need to do this matching.

@therealpires @mattomata @lorenc_dan Nope! Gitsign doesn't enforce commit emails to match. Sometimes we want to sign with identities that don't have an email (i.e. CI runners). While matchCommitter exists, it's a convenience to use the right account - it doesn't have any weight on verification.

gittuf, a security layer for Git repositories, has joined the OpenSSF as a sandbox project housed under the Supply Chain Integrity Working Group. 🎉 gittuf stands out by implementing an array of features dedicated to enhancing security. Learn more today: openssf.org/blog/2024/01/1…

Hey NYC Friends! We're doing another @chainguard_dev happy hour this Wednesday. Details here: get.chainguard.dev/hh-nyc-novembe…

@adityasaky @jacques_chester @decodebytes Like @adityasaky said, `gitsign attest` can store detached signatures/attestations on commits without modifying the original SHA, but it does this by storing data in a different ref space, which means things like remote branch operations won't include signatures by default. 🤷‍♂️

@adityasaky @jacques_chester @decodebytes General +1 to this! The gitsign signature format CAN support multiple signatures (the underlying format is PKCS7), but practically it's not really useful because it will cause the SHA to change, so the gitsign tool doesn't bother to support it at the moment.

@decodebytes can gitsign be used to have multiple signatures on a commit?

The future of security looks bright, you don't even need a key 🚫🔑 We partnered with @projectsigstore to help you move away from traditional keys to keyless signing. Learn how to do this by adding just a few lines in a yml file: bit.ly/3PDaJPE

Securing your source code just got simpler. Today, @chainguard_dev announced Enforce for @github - a GitHub App for public repositories that lets you define & enforce policy for @projectsigstore -based Git signatures. chainguard.dev/unchained/anno…

Dive into the world of code signing and supply chain security with Billy Lynch from @chainguard_dev With years of experience at Google, Billy brings unique insights into securing our digital ecosystems. Don't miss this episode: youtu.be/oRCJM5beQYE #SupplyChainSecurity

Do you know about GitSign yet from sigstore and Chainguard??? We sat down with @wflynch for an episode of the Securty Repo podcast to talk about this and some other areas of supply chain security. Check it out lnkd.in/g6btzssP or lnkd.in/gqcXJ4AS

🆕 Chainguard Academy is live 💜 📗OSS: SLSA, SBOMs, Wolfi, apko, melange, sigstore, etc 📙Edu: glossary, recommendations & more 📘PDocs: Images, Enforce, chainctl 🔗edu.chainguard.dev

🟣Software Self-Attestation With @lorenc_dan: Industry Perspectives Feat. CRob 🟣Learn everything you need to know about SSDF and CISA's Software Self-Attestation Form! Tomorrow 👇 crowdcast.io/c/self-attesta…

👉🏼 "Sigstore: Secure and Scalable Infrastructure for Signing and Verifying #software" with @wflynch, Staff Software Engineer @chainguard_dev & Zack Newman, Research Scientist @chainguard_dev: rb.gy/0xjab #QConNY #SoftwareConference #SoftwareDevelopment #Software

📝 Billy Lynch from @chainguard_dev challenged us to rethink our trust in signed commits in git. Through his session on Gitsign, he explored why and how we need to ensure the integrity of our code in the face of escalating supply chain security issues. 5/7

Starting random gratitude shoutouts to the amazing people who are dedicated to OSS 🐙 First up, @puerco, who is the sBOM 💣 & 🦸‍♂️saves the world from drowning in CVE false positives w OpenVEX 🫶 has a heart of gold We appreciate you! 💜

#cdCon #GitOpsCon Demo theatre @wflynch talking about @projectsigstore @tektoncd @chainguard_dev

📝“Being able to sign artifacts without needing to worry about keys goes a long way to help developers secure their supply chains without needing to worry about the complexities of key management”. @wflynch cd.foundation/blog/2023/05/0…

VANCOUVER🇨🇦 #OSSSummit NA‼️ 🍁5/9 | cdCon+GitOpsCon 12:40pm: Tekton Project Summit @wflynch 4:30pm: Identity-based Source Integrity w/ Gitsign @wflynch 🍁5/10 | OpenSSF Day 12:05pm: What's New w/ SBOMs? @puerco 1:40pm: Ask the Expert: @tracymiranda chainguard.dev/unchained/meet…

Come say hi in Vancouver next week! chainguard.dev/unchained/meet…

🎙️ #cdCon + #GitOpsCon Talk 🎙️ Identity-based Source Integrity with Gitsign by @wflynch from @Chainguard_dev Tuesday, May 9 at 4:30pm PDT Add to your schedule here: sched.co/1LPOP