Keeper Security has a new idea to help prevent supply chain attacks

Supply Chain
(Image credit: Shutterstock.com / TMLsPhotoG)

Keeper Security has launched a new open source project that it hopes will help protect against supply chain attacks.

Secure Shell (SSH) keys can now be used to sign git commits to verify that software is genuine. Git commits are are used to keep track of changes to code, with brief descriptions of said changes at the current time.

The password manager and secrets management firm has partnered with The Migus Group to offer this open source method to sign commits with SSH keys that are stored in the user's Keeper Vault.

Easier and more secure

Git commits are considered important in helping to secure the software supply chain, and it is recommended for all developers to sign them to signal the integrity of their software.

By offering developers a way to sign them with SSH keys, which are stored in the cloud with encryption, it means that they no longer have to store them on disk, which Keeper says, "[increases] security and [streamlines] DevOps workflows."

It also said that signing git commits with SSH keys  provides a "cryptographic proof of authorship," and lets others know that the code has not been tampered with, thus helping to secure the supply chain. 

The digital signature can be used as part of a Software Bill of Materials (SBOM) as well, to show that an item in the SBOM is trusted. 

The SSH keys are stored in the Keeper Secrets Manager (KSM), which is cloud-based and uses zero knowledge architecture. It is also compliant with ISO 27001 and SOC 2, as well as FedRAMP and StateRAMP Authorization, among others.

Keeper Security CTO Craig Lurey believes that this new implementation is unique in its "layer of protection and ease-of-use," adding that, "our integration enables developers to validate the software code with a cryptographic digital signature and transparent logging, making what historically has been a complex process into a simple one."

Adam Migus, CEO of The Migus Group, also said, "we thought working with [Keeper Security] to make the git commit-signing process both safer and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vaults."

MORE FROM TECHRADAR PRO

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
Shadowed hands on a digital background reaching for a login prompt.
This worrying Git flaw could lead to users leaking credentials
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Cyber-security
The definitive guide to credential collaboration
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Keeper
Secure your data this holiday season with Keeper’s biggest sale yet
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough