Developers can now access the latest release of Gittuf 0.4, a project aimed at enhancing security in Git repositories. Gittuf introduces a hierarchical verification system to mitigate risks associated with individual developers compromising the repository. By providing an additional security layer for GIT, the project offers utilities to manage developer keys, access rules for branches, tags, and files. Written in GO, the project is licensed under Apache 2.0 and is currently in active development.
Gittuf stores verification information in a separate namespace within the Git storage, ensuring compatibility with existing tools and services like Github and Gitlab. TUF (The Update Framework) is utilized in Gittuf to safeguard update processes in various projects such as Docker, Fuchsia, AGL (Automotive Grade Linux), and Pypi.
The verification model in Gittuf revolves around a hierarchical trust system. Repository owners hold the Root of Trust, enabling them to generate keys for developers and set rules for key application. Flexible rules in Gittuf define developer permissions and their scope of changes within the repository, including tag creation, branch modifications, and file alterations.
Developers and their actions are identified through keys and digital signatures. Gittuf supports key generation, secure key distribution, key rotation, key revocation, access control lists (ACLs), and GIT-revocations. Additionally, Gittuf maintains a reference log of changes (RSL) protected by a tree structure to ensure integrity and prevent tampering.