FAQ

Is Scrutineer secure?

Nothing is 100% secure. Scrutineer relies on the security of your GitHub account and the machine that you use for development. If there is a breach of either your computer or your GitHub account, Scrutineer can't guarantee the integrity of your signed commits. We are working on a signature revocation functionality.

Are other OIDC providers supported than GitHub?

Tell me about your needs and I will make the integration happen!

Scrutineer looks a lot like Sigstore?

Sigstore is a mature collection of tools for signing. The downside is, it is complex, which the authors admitted in a recent blog post

The Sigstore architecture is admittedly complex! Complexity is bad and should be avoided where possible.

I think that Scrutineer is not complex. Even though Scrutineer reminds of Sigstore, we found a less complex abstraction for signing and verifying git commits.

Scrutineer looks a bit like OpenPubKey?

OpenPubKey was released after Scrutineer was published. I must admit that their "hack" with the nonce is genius. It has a few shortcomings though, mainly related to privacy. Scrutineer uses pseudonymous user-handles for privacy reasons. Digital signatures are very powerful and they don't easily allow for plausible deniability. I think Scrutineer has a better abstraction around user management for better privacy.