| ... | ... | @@ -2298,6 +2298,19 @@ Similar projects: |
|
|
|
* [Trillian](https://github.com/google/trillian-examples) (Google)
|
|
|
|
* [sigsum](https://www.sigsum.org/), similar to sigstore, but [more minimal](https://git.sigsum.org/sigsum/tree/archive/2022-03-15-notes-on-sigsum-and-rekor.md)
|
|
|
|
|
|
|
|
### Sirish: gittuf
|
|
|
|
|
|
|
|
[Aditya Sirish][], a PhD student under TUF's Cappos is building
|
|
|
|
[gittuf][] a "security layer for Git repositories" which allows things
|
|
|
|
like multiple signatures, key rotation and in-repository attestations
|
|
|
|
of things like "CI ran green on this commit".
|
|
|
|
|
|
|
|
Designed to be backend agnostic, so should support GPG and sigstore,
|
|
|
|
also includes in-toto attestations.
|
|
|
|
|
|
|
|
[Aditya Sirish]: https://github.com/adityasaky
|
|
|
|
[gittuf]: https://gittuf.dev/
|
|
|
|
|
|
|
|
### Other caveats
|
|
|
|
|
|
|
|
Also note that git has limited security guarantees regarding
|
| ... | ... | |
