The Sched app allows you to build your schedule, but it is not a substitute for event registration. To participate in the sessions, you must be registered for OpenSSF Community Day NA 2026. If you have not registered but would like to join us, please visit the event registration page to purchase a ticket.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
You’ve probably heard by now that Git supports signing your commits and the chorus encouraging you to sign your commits.
There’s just a tiny little problem: what exactly do you do with those signatures? How do you know if a signature is legitimate? When a signing key needs to be rotated and is marked as untrusted, does that mean your entire Git history is “untrusted”? What makes a commit “Verified” on GitHub?
Wonder no more. In this talk, we will discuss the state of Git commit signing today, and dispel the mysteries that surround making sense of commit signatures. We’ll look at how gittuf brings structure to commit signatures, and then uses these signatures to enforce a security policy on your repository.
Patrick is a Ph.D. student at New York University researching software supply chain security. He focuses on securing version control systems that underpin systems such as The Archive Framework (TAF). He is also a maintainer of gittuf, an incubating project at the Open Source Security... Read More →
