Code Signing in GitHub

The software that powers enterprises' innovations, products, and services today has established itself as one of the top assets for businesses, increasing the importance of taking appropriate measures to secure and govern source code repositories. With the growing adoption of AI-powered source code management platforms like GitHub, it's essential to review the code repository security features to reduce the likelihood and impact of these crown jewels being compromised.

GitHub provides a robust platform for collaboration, code management, and version control, and the repositories can pose a significant risk if not protected effectively. These source code repositories store the intellectual property (IP) of organizations, and proper management of these repositories is crucial to maintaining the integrity and security of business-critical software. The absence of robust repository security measures increases the potential for vulnerabilities and unauthorized access to sensitive projects.

A vital aspect of code integrity is validating the authenticity of the source of changes. Signed commits enable development teams to verify that the code changes originate from a trusted developer. In organizations where code reviews and approvals are crucial, especially for critical applications, a genuine Git signature significantly increases the likelihood that appropriately authorized personnel have reviewed and approved proposed changes.

To contextualize security levels: standard practices involve username and password authentication, stepping up to enhanced security incorporates Multi-Factor Authentication (MFA) for better protection, and achieving optimal security combines these methods with signed commits for the best line of defense. This layered approach, starting from expected login measures to the best practice of signed commits, is essential for organizations to bolster their software development environment, ensuring every access point and code change is thoroughly authenticated and verified, thereby maintaining the highest confidence in security and integrity.

GitHub provides native functionality for code signing using GPG (GNU Privacy Guard), SSH (Secure Shell), or S/MIME (Secure/Multipurpose Internet Mail Extensions) to cryptographically sign each commit, verifying that the changes originated from a trusted collaborator and that no unauthorized modifications occurred. Implementing signed commits is crucial for organizations to maintain a secure software development environment by providing confidence in the following areas:

1. Accountability: Signed commits help to maintain developer accountability by linking each commit to a specific individual, instilling a sense of responsibility when proposing changes.
2. Trustworthiness: Signed commits add an essential layer of trust and transparency among development team members, ensuring they can trust their colleagues' work while collaborating on code.
3. Auditability: The implementation of signed commits significantly enhances the auditability of software projects, which is crucial for security. By cryptographically linking each change to its author, it provides an immutable and verifiable history that simplifies the identification and resolution of issues by pinpointing the origins of changes.
4. Compliance: For specific industries, such as finance, healthcare, or defense, the ability to track and verify the origin of code changes may be required to meet regulatory compliance standards. Code signing using cryptographic mechanisms is specifically called out in the National Institute of Standards and Technology (NIST) Special Publication 800-53, and code signing can also contribute to compliance with sector-specific regulations such as PCI DSS and SOX, which require secure development and software trustworthiness.

To leverage signed commits effectively and maintain code integrity in your organization's GitHub repositories, consider the following best practices:

1. Establish a Policy: Create and enforce a company-wide policy that requires all commits to be signed, at a minimum for the organization’s most important tier of applications. This ensures consistency across all repositories and promotes a culture of security awareness among developers.
2. Training and Onboarding: Provide training for developers on generating keys, signing commits, and managing their keys securely. Ensure new team members are onboarded with this knowledge to maintain consistency and the required security posture.
3. Verify Signed Commits: Enforce branch protection rules that require signed commits for all protected branches, preventing any unsigned commit from being merged. Integrating a CI/CD pipeline can further automate the verification process during code review.
4. Key Management: Stress the importance of secure key management for developers. Encourage practices such as using strong and unique passphrases for each key, rotating keys regularly, and safely backing up and storing private keys.
5. Auditing and Monitoring: Regularly audit the commits across all repositories to ensure they are signed and adhere to the organization's requirements. Use GitHub features like the commit graph to visually identify unsigned commits, enabling a prompt investigation into potential security issues.

Emphasizing the importance of signed commits and ensuring that code integrity is maintained throughout your organization's software development process is crucial for mitigating security risks. Organizations can better safeguard their IP and maintain a secure GitHub environment by implementing the recommended practices — such as enforcing a company-wide policy, providing training, verifying commits, adhering to secure key management, and conducting regular audits.

Due to the sensitive and mission-critical data in code repositories, it’s not enough to simply scan the code itself for vulnerabilities: investing in robust repository security is now table stakes, and implementing signed commits supports codebase integrity and helps drive a proactive security culture.

KPMG is a Microsoft Alliance partner and has supported large organizations’ GitHub security efforts for years, enabling organizations to focus more on innovation and growth.