Ask HN: How are you stopping supply chain attacks via compromised dev keys?
The article discusses concerns regarding supply chain attacks facilitated by compromised developer keys on platforms like GitHub and GitLab. It highlights the lack of features such as organization-level allowlisting of signing keys and the inability to reject pushes based on signing keys. The author expresses frustration over the need for additional security measures and the inadequacy of existing protections.
- ▪GitHub and GitLab verify commits based on user account keys but do not allow specific key requirements.
- ▪Compromised developer accounts can still push malicious commits that appear verified.
- ▪The author is considering implementing hardware keys and custom verification processes due to security concerns.
Opening excerpt (first ~120 words) tap to expand
GitHub and GitLab will verify that a commit is signed by some key on the user's account. They won't let you require that it be signed by a specific key, like a hardware-backed YubiKey your org issued. So if an attacker compromises a developer's laptop or GitHub account, they can add a new signing key, push commits signed with it, and pass every "Require signed commits" protection in place. The malicious commit lands in the repo with a "Verified" badge.As far as I can tell, neither platform offers:- An org-level allowlist of approved signing keys- A way to reject a push based on the signing key itself- A built-in way to audit who has accessed what (You have to stream and parse the audit logs yourself!)The workarounds I've seen, like re-verifying signatures in CI, blocking deployments on…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Ycombinator.