Gittuf, a security layer for Git repositories that you should know

gittuf logo

Si You work with Git repositories and are concerned about their security, Let me tell you that for this there is a solution that can help you solve this and more. The usefulness of which Let's talk today's name is Gittuf which is a project that addresses security and access control limitations in Git.

Gittuf is focused on developing a hierarchical system to verify the content of repositories Git. This tool provides an additional layer of security and a set of utilities to manage developer keys with access to the repository, as well as set rules for accessing branches, tags, and individual files.

How does Gittuf work?

Gittuf Addresses these shortcomings of Git by implementing secure key management and granular access control mechanisms, inspired by The Update Framework (TUF) used in projects such as Docker, Fuchsia, AGL (Automotive Grade Linux) and PyPI to protect update processes, in addition to allowing associate trusted keys using Sigstore identities and supports signing Git commits using OIDC and GPG, as well as SSH keys.

The project stores additional verification information and artifacts in a specific namespace within the Git object store, allowing compatibility with existing tools and services such as GitHub and GitLab. In the absence of Gittuf support, the repository remains accessible, but the ability to thoroughly verify its integrity is limited.

In Gittuf, Developers and the changes they make are identified using digital keys and signatures. This system allows you to generate new keys securely, distribute keys reliably, perform periodic key rotations, revoke compromised keys, manage access lists (ACLs) and namespaces in Git repositories.

To verify signatures digital confirmations and labels, The repository owner generates and distributes public keysthat are directly associated with the repository. Mechanisms to revoke and replace keys are used to prevent attackers from promoting fraudulent changes after gaining access to keys to generate digital signatures of individual developers. Keys have a limited lifespan and require constant updates to protect against signing with old keys.

Furthermore, Gittuf maintains a reference record of all changes, known as the Reference State Record (RSL), whose integrity and protection against retroactive distortion are guaranteed by a "Merkle Tree" tree structure. Each branch of the tree verifies all underlying branches and nodes thanks to the tree hash, allowing users to verify the correctness of the entire history of past operations and states. It also protects against "reference state attacks" on Git repositories and plans to add flexibility in cryptographic algorithms, integration with in-toto for SLSA source tracking certifications, and read access restriction on Git repositories.

It is worth mentioning that Gittuf is currently in a pre-alpha phase, where its main features are in the process of development and currently the main priority is to move towards the alpha version in which the work will be to implement the main design document, which includes features such as policies for Git and file namespaces, key distribution , reference state logging, and the ability to sync Gittuf metadata with remote repositories.

As such, the Gittuf roadmap lays out a plan for using the Gittuf tool itself in its development and assurance. Gittuf's dogfooding process It will be carried out in several phases:

  • Phase 1
    In this initial stage, automation will be used to create and sign RSL entries on behalf of Gittuf maintainers, and a GitHub certification will be recorded for each pull request merged into the master branch, providing an auditable trail for future inspections using Gittuf.
  • Phase 2
    With the improvement of command support and usability of the Gittuf tool, the transition will begin so that at least some RSL entries are issued by local keys held by maintainers.
  • Phase 3
    As Gittuf approaches version 1, expect a smoother transition to primarily offline signing. This will require additional usability improvements. In this final phase, we hope to have addressed the issues of actively using Gittuf to proceed with a stable and functional version.

If you are interested in knowing more about it, you can check the details In the following link.

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.