CybersecurityDevOps

Navigating the Land of Git Commit Signatures With Gittuf - Patrick Zielinski & Yongjae Chung

OpenSSF
OpenSSFJun 3, 2026

Why It Matters

GitTuf shifts trust from centralized forges to repository-carried verification, reducing risk from compromised accounts or forges and giving teams enforceable, auditable provenance and policy controls to harden software supply chains.

Summary

In a talk demonstrating commit-signature pitfalls, Patrick Zielinski and Yongjae Chung show how author metadata can be easily spoofed and how forge “verified” badges can be misleading. They introduce GitTuf, an OpenSSF-incubating security layer that embeds signatures and policy metadata into Git itself via an append-only reference log so keys, policies and signature checks travel with the repository. GitTuf enables client-side verification at each step of a workflow and supports rules like branch/tag protection, file-level restrictions, minimum-approval thresholds and blocking force-pushes. The presenters also walked through a setup/demo to illustrate practical adoption and default security configurations.

Original Description

Navigating the Land of Git Commit Signatures With Gittuf - Patrick Zielinski, Secure Systems Lab @ NYU & Yongjae Chung, New York University
You’ve probably heard by now that Git supports signing your commits and the chorus encouraging you to sign your commits.
There’s just a tiny little problem: what exactly do you do with those signatures? How do you know if a signature is legitimate? When a signing key needs to be rotated and is marked as untrusted, does that mean your entire Git history is “untrusted”? What makes a commit “Verified” on GitHub?
Wonder no more. In this talk, we will discuss the state of Git commit signing today, and dispel the mysteries that surround making sense of commit signatures. We’ll look at how gittuf brings structure to commit signatures, and then uses these signatures to enforce a security policy on your repository.

Comments

Want to join the conversation?

Loading comments...