Enforcing source code integrity through gitsign

Install

go install github.com/sigstore/gitsign@latest

Prep (one-time only)

git config --local commit.gpgsign true  # Sign all commits
git config --local gpg.x509.program gitsign  # Use Gitsign for signing
git config --local gpg.format x509  # Gitsign expects x509 args
git config --local tag.gpgsign true  # Sign all tags

Demo (Enforce gitsign)

$ git branch
$ git checkout -b enforce-gitsign-branch
$ date >> date.out && git add date.out && git commit -m 'adding date to date.out in enforce-gitsign-branch'
$ git push --set-upstream origin enforce-gitsign-branch

Cleanup

git checkout main
git push -d origin enforce-gitsign-branch
git branch -D enforce-gitsign-branch

Name		Name	Last commit message	Last commit date
Latest commit History 199 Commits
.chainguard		.chainguard
.github/workflows		.github/workflows
policies		policies
scans		scans
Dockerfile		Dockerfile
README.md		README.md
att-vuln-critical-cve.json		att-vuln-critical-cve.json
dan-gitconfig		dan-gitconfig
date.out		date.out
enforce-for-github-demo.sh		enforce-for-github-demo.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Enforcing source code integrity through gitsign

Install

Prep (one-time only)

Demo (Enforce gitsign)

Cleanup

About

Releases

Packages

Contributors 3

Languages

chainguard-dev/source-integrity-demo

Folders and files

Latest commit

History

Repository files navigation

Enforcing source code integrity through gitsign

Install

Prep (one-time only)

Demo (Enforce gitsign)

Cleanup

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 3

Languages

Packages