Practical (and impractical) git commit signing
Matthew Garrett
BSidesSF 2026 · Day 1 · AMC Theatre 09
In this insightful talk, Matthew Garrett delves into the complexities and practicalities of Git commit signing, a crucial but often misunderstood aspect of software supply chain security. Garrett, a former Linux kernel developer with a keen interest in hardware-backed cryptographic keys, critically examines the existing methods for signing Git commits – GPG, X.509 certificates, and SSH keys – highlighting their inherent flaws and limitations, particularly in enterprise environments. The core of his presentation advocates for a paradigm shift towards SSH certificates as the most viable and secure solution for robust commit signing, offering unparalleled flexibility, manageability, and the potential for hardware attestation.
AI review
Garrett is clearly the real deal — deep kernel and hardware-security background, and his SSH-certificates-over-GPG argument is technically sound and well-structured. This is competent, useful content for practitioners wrestling with supply chain signing workflows, but it's a BSides-level talk, not a Black Hat headliner: the core thesis is already floating around the informed practitioner community, and the lack of a live demo or novel tooling limits its lasting impact.