This is a demonstration of using gittuf verification in a CI workflow. This
repository has a simple policy protecting the main
branch that says all
updates to the branch's state must be signed using Sigstore. The expected
identity is @adityasaky's and the expected issuer is GitHub.
The folder .keys
includes the root and targets keys used to manage the gittuf
policy.
The policy on this repository declares the Sigstore identity and a protection
rule applicable to the main branch granting permission to that Sigstore
identity. To inspect the policy in more detail, use gittuf clone
to download
the repository with the gittuf namespaces. You can find pre-built (and signed)
binaries for gittuf from its latest
release. Alternatively, clone the
repository using Git and fetch refs/gittuf/reference-state-log
and
refs/gittuf/policy
manually.
{
"keys": {
"[email protected]::https://github.com/login/oauth": {
"keyid_hash_algorithms": null,
"keytype": "sigstore-oidc",
"keyval": {
"identity": "[email protected]",
"issuer": "https://github.com/login/oauth"
},
"scheme": "fulcio",
"keyid": "[email protected]::https://github.com/login/oauth"
}
},
"roles": [
{
"name": "protect-main",
"paths": [
"git:refs/heads/main"
],
"terminating": false,
"keyids": [
"[email protected]::https://github.com/login/oauth"
],
"threshold": 1
},
{
"name": "gittuf-allow-rule",
"paths": [
"*"
],
"terminating": true,
"keyids": [],
"threshold": 1
}
]
}