- Notifications
You must be signed in to change notification settings - Fork5
gittuf/demo
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A demo of gittuf.
Thegittuf repository provides pre-builtbinaries that are signed and published usingGoReleaser. The signature for these binaries aregenerated usingSigstore, using the releaseworkflow's identity. Please use release v0.1.0 or higher, as prior releases werecreated to test the release workflow. Alternatively, gittuf can also beinstalled usinggo install.
To build from source, clone the repository and runmake. This will also runthe test suite prior to installing gittuf. Note that Go 1.23 or higher isnecessary to build gittuf.
git clone https://github.com/gittuf/gittufcd gittufmakeYou can run the scripted demo with commentary using the run-demo script.
python run-demo.py
If you prefer to run the demo manually, follow the steps outlined below.You will set up a directory structure as follows:
.├── keys└── repoWherekeys will be copied from this repository. You will create twoGit-compatible signing keys, one that is authorized for the demo policy and onethat is not. You will see how policies are created, commit changes and rungittuf to verify, both on the happy and failing path:
# Temporary playgroundcd$(mktemp -d)mkdir {keys,repo}cp -r${OLDPWD}/keys.# ssh-keygen requires that key files have proper permissionschmod 0600 keys/*cd repo# Create demo git repositorygit init -b main# In addition to SSH keys, Git and gittuf support using GPG keys.# To use GPG keys instead of SSH keys, replace paths to keys with# "gpg:fingerprint" and modify the Git configuration options below.git config --local gpg.format sshgit config --local commit.gpgsigntruegit config --local user.signingkey ../keys/authorizedgit config --local user.name gittuf-demogit config --local user.email gittuf.demo@example.comgittuf trust init -k ../keys/rootgittuf trust add-policy-key -k ../keys/root --policy-key ../keys/targets.pubgittuf policy init -k ../keys/targets# Add key definition to policygittuf policy add-key -k ../keys/targets --public-key ../keys/authorized.pub# Add branch protection rulegittuf policy add-rule -k ../keys/targets --rule-name'protect-main' --rule-pattern git:refs/heads/main --authorize-key ../keys/authorized.pub# Apply policygittuf policy applyecho'Hello, world!'> README.mdgit add README.mdgit commit -m'Initial commit'gittuf rsl record main# This will succeed!gittuf verify-ref main# Simulate violation by using unauthorized keygit config --local user.signingkey ../keys/unauthorizedecho'This is not allowed!'>> README.mdgit add README.mdgit commit -m'Update README.md'gittuf rsl record main# This will fail as branch protection rule is violated!gittuf verify-ref main# Rewind to known good stategit reset --hard HEAD~1git update-ref refs/gittuf/reference-state-log refs/gittuf/reference-state-log~1git config --local user.signingkey ../keys/authorized# Add file protection rulegittuf policy add-rule -k ../keys/targets --rule-name'protect-readme' --rule-pattern file:README.md --authorize-key ../keys/authorized.pub# Apply policygittuf policy apply# Make change to README.md using unauthorized keygit config --local user.signingkey ../keys/unauthorizedecho'This is not allowed!'>> README.mdgit add README.mdgit commit -m'Update README.md'# But record RSL entry using authorized key to meet branch protection rulegit config --local user.signingkey ../keys/authorizedgittuf rsl record main# This will fail as file protection rule is violated!gittuf verify-ref main
It is possible to use gittuf in your CI workflows using thegittuf-installer GitHub Action.For an example of gittuf verification in CI, take a look atgittuf/ci-demo.
About
A demo of gittuf