Verify commit signed with sigstore

[ctron]

I would like to use sigstore in a repository. That works with git just fine, but pushing signed commits to GitHub now shows those commits in orange and as "unverified":

So adding things that makes the code actually more secure, gets visually downgraded on GitHub. And it doesn't seem to look like that I can configure this.

I guess what I am looking for is proper sigstore support, or maybe a way to ignore sigstore style signatures if they aren't supported.

[jdevfullstack]

seems interesting, it's hosted on GitHub and there are developers you can see

https://github.com/sigstore

you can try asking in the most relevant repo that you will see

[ctron]

they are the official ways to verify commits, that's why I'm pointing you to that project, maybe they are still not recognized by GitHub ?

I guess so, but I think this is something that GitHub would need to fix. I am not sure the project could do that for them?

Aside, I still think that the GitHub UI doesn't do a good here either. If GitHub doesn't trust those signatures, then it might be necessary to add an option for adding a trust anchor (so that it can get verified) or to allow disabling the badge (if GitHub is unable to verify the signature, but others might).

[christophe-kamphaus-jemmic]

The sigstore project actually has an issue which is just for communicating on Github progress for supporting sigstore commit signatures: sigstore/gitsign#40

Gitlab has an issue for sigstore integration: https://gitlab.com/gitlab-org/gitlab/-/issues/364428

[ctron]

So I guess this is the "answer".

[wlynch]

Gitsign maintainer here - we keep sigstore/gitsign#40 open because we get this question a lot. As you mentioned, it is unfortunately not something that the Sigstore project has much control of, since it comes down to what roots GitHub trusts to show the green checkmark.

Currently GitHub uses the Debian ca-certificates package, which uses the Mozilla CA List, which Sigstore is not a part of. We've had some discussions internally of what it would take to get Sigstore added to the list, but since it is primarily targeted towards web browser certificates some of the requirements don't necessarily make sense for Sigstore (particularly around revocation requirements since Fulcio only issues short-lived code signing certs).

I'd love to keep this discussion open as a signal on the GitHub side for adding support for the Sigstore root. No one wants to see this happen more than me. 🙂

[ctron]

@wlynch Thanks for letting us know. I unmarked the "answer", keeping it open as you suggested. Which I think makes sense.