Git login and commit signing with security

Doing software engineering (well-ish) is pretty hard to imagine without working in version control, which most of the time means git. In a practical setup of git there’s the question of how do I get access to the code it stores — how do I “check things out”? — and optionally how can others verify that it was indeed me who did the changes — how do I “sign” my commits? Recently I’ve changed my mind about what’s a good combination for these two aspects, and what tools am I using to do them.

Access Options

In broad terms git repositories can be checked out either though the HTTP protocol, or through the SSH protocol. Both have pros and cons.

Having two-factor authentication (2FA) made the HTTP access more secure but also more setup (no more direct username/password usage, rather needing to create extra access keys used in place of passwords). Credentials were still in plain text (as far as I know) on the machine in some git config files.

The SSH setup was in some sense more practical one (creating keys on your own machine, and just passing in the public key portion), though there were still secrets in plain text on my machine (as I don’t think the majority of people used password-protected SSH keys, due to their user experience). This is what I’ve used for years: add a new SSH key for a new machine that I’m working on, check code out through ssh+git, and work away.

When I’ve recently came across the git-credential-manager tool that supposed to make HTTP access nicer (for various git servers and services), and get rid of plain text secrets. Of course this is not the first or only one of the tools that does git credentials, but being made by GitHub, it had some more clout. This made me re-evaulate what options do I have for SSH as well for similar security improvements.

Thus I’ve found that both 1Password and KeePassXC (the two main password managers I use) have ssh-agent integration, and thus can store SSH keys + give access to them as needed. No more plain text (or password protected) private keys on disk with these either!

Now it seems there are two good, new options to evaulate, and for the full picture I looked at how the code signing options work in this context as well.


Magic for the Internet of Things:

I have my fair share of playing with embedded Linux and Internet of Things projects these days, but the real treat is finding projects occasionally that just blow me away. Through some Hacker News comments I ended up checking out, a tool that brings cloud deployment and management to embedded applications. That might simple (boring?), but here’s the workflow in a nutshell:

  1. Start a new application and download an image file for your chosen single board computer (1 of 5 choices at the moment: Raspberry Pi 1 & 2, Parallella, Intel Edison, and BeagleBone Black)
  2. Flash the image onto an SD card, connect the board to the network, and boot it up
  3. The board shows up in the cloud management console, and you get a git repo address
  4. Make an application (Docker, Node.js, etc.), do a git push: voila, your board’s running your app
  5. Flash a few more SD cards, connect the devices to the network, all of them will run your application
  6. Modify the app behaviour through environment variables, either all of them at once, or customize each
  7. Check status, logs, updates, online, and enjoy that things just work!

I cannot emphasise enough how good any service feels that 1) runs by git pushing code, and 2) just works.


To try it all out, I’ve put together a very simple application: SomaStream – the SomaFM internet radio streaming app.

SomaStream device status
SomaStream device status (image uploading)

Grabbed my RaspberryPi that didn’t do much lately, plugged an earphone in it, and started to look for some examples in the docs how to make it play some streaming music.