Keeper Security has a new idea to help prevent supply chain attacks

Supply Chain
(Image credit: / TMLsPhotoG)

Keeper Security has launched a new open source project that it hopes will help protect against supply chain attacks.

Secure Shell (SSH) keys can now be used to sign git commits to verify that software is genuine. Git commits are are used to keep track of changes to code, with brief descriptions of said changes at the current time.

The password manager and secrets management firm has partnered with The Migus Group to offer this open source method to sign commits with SSH keys that are stored in the user's Keeper Vault.

Easier and more secure

Git commits are considered important in helping to secure the software supply chain, and it is recommended for all developers to sign them to signal the integrity of their software.

By offering developers a way to sign them with SSH keys, which are stored in the cloud with encryption, it means that they no longer have to store them on disk, which Keeper says, "[increases] security and [streamlines] DevOps workflows."

It also said that signing git commits with SSH keys  provides a "cryptographic proof of authorship," and lets others know that the code has not been tampered with, thus helping to secure the supply chain. 

The digital signature can be used as part of a Software Bill of Materials (SBOM) as well, to show that an item in the SBOM is trusted. 

The SSH keys are stored in the Keeper Secrets Manager (KSM), which is cloud-based and uses zero knowledge architecture. It is also compliant with ISO 27001 and SOC 2, as well as FedRAMP and StateRAMP Authorization, among others.

Keeper Security CTO Craig Lurey believes that this new implementation is unique in its "layer of protection and ease-of-use," adding that, "our integration enables developers to validate the software code with a cryptographic digital signature and transparent logging, making what historically has been a complex process into a simple one."

Adam Migus, CEO of The Migus Group, also said, "we thought working with [Keeper Security] to make the git commit-signing process both safer and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vaults."


Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.