Scrutineer

Scrutineer re-thinks git commit signing. Manage trust instead of keys.

If you ever worked with GPG signatures in git, you know how frustrating the experience is. Scrutineer is an entirely new workflow to manage trust for teams and organizations. Once installed, you won't worry about key management again.

Source Code

You find the source code on GitHub https://github.com/scrutineertech/scrutineer

All code is signed by Scrutineer 🚀

Installation

If you use MacOs, the preferred way is to use

brew install scrutineertech/scrutineer/scrutineer

With brew it is easy to stay up to date.

If you have go installed, you can alternatively use

go install scrutineer.tech/scrutineer/cmd/scrutineer@latest

Login

After installing Scrutineer, login with your GitHub account

scrutineer login

Usage

You can always yell for help with

scrutineer help

Somehow I have the feeling this doesn't answer your question. So here we go with a few examples.

Who am I?

Forgot your user handle? Wonder under which account you are logged in?

scrutineer whoami

How do I trust another user?

First make sure you communicate the user handle via a secure channel. User handles always start with a "U". It is important to receive the user handle via a secure channel. Scrutineer guarantees that signed commits really belong to the user in the commit. Scrutineer can't guarantee that the signed commit belongs to a specific person, for example the e-mail address you see in a signed commit.

Trust a user handle from now until now + 365 days

scrutineer trust user UXXXXXXXX

Or with a more specific start and end time

scrutineer trust user --start 2023-01-01T00:00:00 --end 2023-12-31T00:00:00 UXXXXXXXX

There is no need to trust yourself. You always do 🙂

Show Realm 🏰

To see who you trust, run

# scrutineer realm

Direct trust relationships:
ID      User ID         Start                   End
1       UAAAAAAAA       2023-10-10T17:00:00Z    2024-10-10T17:00:00Z

Realm

The Realm is the most powerful and most import concept of Scrutineer. It solves the problem of managing trust relationships with many users.

Your realm is personal. You and only you decide what is in it - and what is not.

Temporal properties of git signatures

When working with signatures, usually the signing and verification process happen within a short time interval. With git it is different. Between signing a commit and verifying the same commit, years can pass. Scrutineer accounts for this mismatch by providing a timeline in which signatures are valid (see image below). Commits are trusted if a trusted user signed the commit in a specific time interval.

Realm

Contents of the Realm

You can trust

  • users
  • teams
  • organizations

for a defined time interval. By default, time intervals start now and end in 365 days from now. This is a sensible default and you can overwrite it anytime and even create multiple intervals per user, team and organization.

Trust of Teams and Organizations

I saw the need of managed groups. Usually you don't develop software in isolation. Likewise, you usually don't trust one other developer. You trust an entire organization. Implicitly we trust organizations in the moment we download their unsigned code. It would be even better if we would download and verify their signed code. The individual developer plays a less important role in this situation.

Teams and Organizations

You can always trust as many teams and organizations as you want (and users as well). Team handles start with a "T" and organization handles start with a "O".

Creating a team

Creating teams and organizations is an upcoming payed feature. Once you are subscribed, you are the owner of your organization. You can make other users the manager of your organization. Below this organization are teams. You can make others the manager of your teams.

For the time being, you can trust other users directly.

Technical Explanation

Scrutineer at its core signs git commits. A signature does not make sense without its verification. This is where Scrutineer comes into play.

The verification of signatures is an n-p hard problem. Whenever a person in your team joins or leaves, everyone needs to update their trust database. This is a tedious and error-prone process. With Scrutineer developers manage who they trust. That can be only themselves, their peers, their teams, and even their entire organization. User management is then done on a team or organization level by trusted personell.

Security of the signing process

Signing usually happens in the background if you configure git1 to do so. Scrutineer actually never gets in your way. The content of your commit message2 is sent to a Scrutineer server. You are authenticated under your user-handle, which is a 9 character long string that starts with "U". The source code is not sent to the Scrutineer servers.

The backend checks your authentication, signs the commit message and sends the signature back to you. Git then stores the signed commit in git.

Sign

How the signature is composed

To calculate the signature, the following byte representations are concatenated:

  1. Message
  2. User Id
  3. RFC 3339 Timestamp in UTC

The resulting bytes are hashed with SHA256. The raw hash is then signed with elliptic curve cryptography. Scrutineer uses the curve NIST P-256 (FIPS 186-3, section D.2.3), also known as secp256r1 or prime256v1.

Security of the verification process

The content of the signature is not only the commit message, but also the authenticated account and the timestamp. Your realm3 is then compared to the signature in three steps:

  1. Is the signature valid?
  2. Is the signing user in your realm?
  3. Was the signature made within the allowed time interval for this user in your realm?

If the user is not in your realm, maybe they are part of a team or organization you trust.

1

Run git config --global commit.gpgsign true 2: Typically a commit message consists of 1) tree hash 2) author 3) committer 4) commit message 3: Realms

FAQ

Is Scrutineer secure?

Nothing is 100% secure. Scrutineer relies on the security of your GitHub account and the machine that you use for development. If there is a breach of either your computer or your GitHub account, Scrutineer can't guarantee the integrity of your signed commits. We are working on a signature revocation functionality.

Are other OIDC providers supported than GitHub?

Tell me about your needs and I will make the integration happen!

Scrutineer looks a lot like Sigstore?

Sigstore is a mature collection of tools for signing. The downside is, it is complex, which the authors admitted in a recent blog post

The Sigstore architecture is admittedly complex! Complexity is bad and should be avoided where possible.

I think that Scrutineer is not complex. Even though Scrutineer reminds of Sigstore, we found a less complex abstraction for signing and verifying git commits.

Scrutineer looks a bit like OpenPubKey?

OpenPubKey was released after Scrutineer was published. I must admit that their "hack" with the nonce is genius. It has a few shortcomings though, mainly related to privacy. Scrutineer uses pseudonymous user-handles for privacy reasons. Digital signatures are very powerful and they don't easily allow for plausible deniability. I think Scrutineer has a better abstraction around user management for better privacy.

Terms of Service

Last modified: October 17th, 2023

By using Scrutineer and its websites (the "Services") and making use of a Scrutineer Account (the “Account”) and all its related features,, you agree to be bound by the following terms of service (the “Terms”). These Terms cover all present and future features provided by your Account. The Services are operated by Sprenger Company B.V. (“We”, the “Company”), domiciled at Boompjes 49R, 3011XB Rotterdam, The Netherlands. It is therefore governed by the laws and regulations of The Netherlands. Use of your Account or the Services includes registering an Account, keeping an Account open (not deleted by you or not deleted or deactivated by Scrutineer), or accessing our website or mobile/desktop applications, or making use of our services. Please read these Terms carefully before you use your Account or the Services. By using your Account or the Services, you are agreeing to be bound by these Terms. You may not use your Account or the Services if you do not agree to these Terms. These Terms apply every time you use your Account or the Services. If you agree to these Terms on behalf of a company or another legal entity, you represent that you have the authority to bind such entity, its affiliates, and all users who access the Services through your Account to these Terms. In the absence of such an authority, you are not authorized to use the Services.

  1. Users of the Services The Services are provided exclusively to individuals who are at least 13 years of age, and even then, only to minors who have obtained parental or legal guardian consent to open and maintain an Account. The Services are provided exclusively to persons or legal entities. Accounts registered by “bots” or automated methods are not authorized and will be terminated. Each user is solely responsible for all actions performed through the Services.
  2. Authorized use of the Services You agree not to use your Account or the Services for any illegal or prohibited activities. Unauthorized activities include, but are not limited to: Disrupting the Company's networks and Servers in your use of the Services; Accessing/sharing/downloading/uploading illegal content, including but not limited to Child Sexual Abuse Material ( CSAM) or content related to CSAM; Infringing upon or violating the intellectual property rights of the Company or a third party; Harassing, abusing, insulting, harming, defaming, slandering, disparaging, intimidating or discriminating against someone based on gender, sexual orientation, religion, ethnicity, race, age, nationality or disability; Trading, selling or otherwise transferring the ownership of an Account to a third party; Promoting illegal activities or providing instructional information to other parties to commit illegal activities; Having multiple free Accounts (e.g. creating bulk signups, creating and/or operating a large number of free Accounts for a single organization or individual); Paying for your subscription with fraudulent payment means, such as a stolen credit card; Engaging in spam activities, which are defined as the practice of sending irrelevant or unsolicited messages or content over the internet, typically to a large number of recipients, notably for the purposes of advertising, phishing, or spreading malware or viruses; Sending junk mail, bulk emails, or mailing list emails that contain persons that have not specifically agreed to be included on that list. You agree not to use the Services to store or share content that violates the law or the rights of a third party; Abusive registrations of email aliases for third-party services; Attempting to access, probe, or connect to computing devices without proper authorization (i.e. any form of unauthorized "hacking"); Referring yourself or another one of your accounts to unduly benefit from our referral program's advantages. Any Account found to be committing the listed unauthorized activities will be immediately suspended. The Company may also terminate Accounts which are being used for illegal activities that are not listed above, particularly in response to orders from the competent authorities informing of such illegal activity. We reserve the right to limit service capacity for free Accounts which use of resources (e.g. bandwidth) is excessive and hurts the user experiences of other users in an unfair way. The Company reserves the right to suspend or delete free Accounts that have been inactive for a consecutive period of twelve months. For more information, we invite you to read our inactive account policy. If you would like to contest the suspension of your account, please submit an appeal through our customer service.
  3. Limited warranties and liability The Company does not make any warranty about the reliability of the Services or the security of user data, despite best efforts. The Service is provided “as is” and “as available,” without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, title, accuracy, non-infringement, or warranties that may arise from course of dealing or course of performance or usage of trade. The Company has no obligation to store or forward the contents of terminated Accounts. We also have no obligation to store messages or contents for accounts that exceed their storage quotas. Furthermore, you will not hold the Company liable or seek indemnification if confidential material is unintentionally released as the result of a security failure or vulnerability in the performance of the Services. To the extent not prohibited by law, you acknowledge and agree that in no event will the Company be responsible or liable to you or any third party, under any theory of responsibility or liability, for any indirect, special, exemplary, incidental, consequential, or punitive damages (including, but not limited to, procurement of substitute goods or services; loss of data, use, or profits; business interruptions; or any other damages or losses), for any multiplier on or increase to damages, or for any costs or fees (including attorneys’ fees), whether under these Terms or otherwise, arising in any way in connection with your Account, the Services, or these Terms, whether arising at law, in equity, or otherwise, and whether based in contract, strict liability, tort (including negligence or otherwise), common law, statute, equity, or otherwise, even if we have been advised of the possibility of such damage, or for any other claim, demand, or damages whatsoever, arising out of or related to your use or inability to use your Account or the Services. Without limitation of the foregoing, and to the extent not prohibited by law, the total liability of the Company’s parties for any reason whatsoever arising out of or related to the use of, or inability to use, your Account or the Services, or these Terms, shall not exceed EUR100, or the amount you paid us, if any, for use of your Account or the Services, whichever amount is greater. This liability, if any, shall be complete and exclusive. The foregoing limitations will apply even if the above stated remedy fails of its essential purpose. Applicable law in some locations, such as the State of New Jersey, does not allow the waiver of implied warranties, the limitation of liability of certain damages set forth above, including the provisions of this section that limit or exclude special, exemplary, consequential, or punitive damages, or limit or exclude the use of any multiplier on or increase to damages, and limit the liability of the Company or any of the Company’s parties, to the greater of either EUR100 or the amount paid by you for use of your Account or the Services. These limitations or exclusions may not apply to you. The provisions of this section do not apply to the extent, and only to the extent, not permitted by applicable law. IF YOU ARE A CALIFORNIA RESIDENT, YOU WAIVE CALIFORNIA CIVIL CODE § 1542, WHICH SAYS: A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS THAT THE CREDITOR OR RELEASING PARTY DOES NOT KNOW OR SUSPECT TO EXIST IN HIS OR HER FAVOR AT THE TIME OF EXECUTING THE RELEASE AND THAT, IF KNOWN BY HIM OR HER, WOULD HAVE MATERIALLY AFFECTED HIS OR HER SETTLEMENT WITH THE DEBTOR OR RELEASED PARTY.
  4. Indemnification You agree that the Company, and any parents, subsidiaries, officers, directors, employees, agents, or third-party contractors (the "Indemnified Parties") cannot be held responsible for any third-party claim, demand, or damages, including reasonable attorneys’ fees, arising out of your use of your Account or the Services. You agree that the Indemnified Parties will have no liability in connection with any such third-party claim, demand, or damages, and you agree to indemnify any and all resulting loss, damages, judgments, awards, costs, expenses, and attorneys’ fees and litigation expenses of the Indemnified Parties in connection therewith. You will also indemnify and hold the Indemnified Parties harmless from and against any third-party claims, demands, or damages arising out of your use of your Account or the Services.
  5. Privacy Our Privacy Policy explains the way we handle and protect your personal data and privacy in relation to your Account, your use of the Services, and your browsing of our websites. By agreeing to the present Terms and to be able to use the Services, you also agree to our Privacy Policy and its sub-policies.

If, in the provision of the Services, the Company processes, on the user’s behalf (where the user acts as a Data Controller), any personal data that is subject to the EU General Data Protection Regulation (GDPR), the company’s data processing agreement shall apply.

  1. Modification to the terms of service Within the limits of applicable law, the Company reserves the right to review and change these Terms at any time. As long as you are using your Account or the Services, you are responsible for regularly reviewing these Terms. Continued use of your Account or the Services, including non-deletion of your Account after such changes are performed shall constitute your consent to them. The latest Terms will apply going forward and to any dispute or issue arising after the Terms have been updated.
  2. Severability If any of the provisions of these Terms are held by a court or other tribunal of competent jurisdiction to be void or unenforceable, such provisions, unless they materially affect the entire intent and purpose of these Terms or unless otherwise provided herein, shall be limited or eliminated to the minimum extent necessary and replaced with a valid provision that best embodies the intent of these Terms, so that these Terms shall remain in full force and effect.
  3. Applicable law and language These Terms shall be governed in all respects by the substantive laws of The Netherlands, to the maximum extent permitted by law. Any disputes, actions, claims, or other controversies arising out of or relating in any way to these Terms, your Account, the Services, your use of (or lack of use of) or access to (or lack of access to) your Account or the Services, or any advertising, promotion, or other communications between you and the Company, whether based in contract, warranty, tort, statute, regulation, ordinance, or any other legal or equitable basis, shall be subject to the jurisdiction of the competent courts of The Netherlands.
  4. Miscellaneous These Terms do not affect your statutory rights or your legal rights, if any, as a consumer. Headings are for reference purposes only and in no way define, limit, construe or describe the scope of such section. Our failure to enforce any provision of these Terms shall not constitute a waiver of that or any other provision. We may assign these Terms in whole or in part. Moreover, we may delegate our rights and responsibilities or use contractors or agents to fulfill its obligations under these Terms. These Terms represent the entire agreement between you and us in connection with your use of your Account or the Services, and they supersede all prior or contemporaneous communications and proposals, whether electronic, oral, or written between you and the Company with respect to your Account or the Services. In case of discrepancy between the English version of these Terms and any translated version, the English version shall prevail.

Privacy policy

Last modified: October 17th, 2023

This Privacy Policy describes how Scrutineer collects, uses, and deletes your data.

By using Scrutineer and its websites (the "Services") and making use of a Scrutineer Account (the “Account”) and all its related features, you understand that your data in relation with your use of our Services is processed according to the following privacy policy. The Privacy Policy states (i) what data we collect through your access and uses of the Services; (ii) the use we make of such data; and (iii) the safeguards put in place to protect your data. The Privacy Policy is to be read and understood as being a complement to our terms and conditions.

  1. Legal framework The Services are operated by Sprenger Company B.V. (the “Company”, “We”), domiciled at Boompjes 49R, 3011XB Rotterdam, The Netherlands. It is therefore governed by the laws and regulations of The Netherlands.
  2. Data Scrutineer collects from you, and how we use it Our overriding policy is to collect as little user information (personal data included) as possible to ensure a private user experience when using the Services. Data collection is limited to the following:
    1. Account creation Specifically the identity your account is bound to, which is a GitHub user ID.
    2. Account activity Specifically the signature and verification process and management tasks related to your Realm, including information stored in the signed commit
    3. IP logging By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities.
    4. Communicating with Scrutineer and the sales team
    5. Payment information We rely on third parties to process credit card and PayPal transactions and must therefore share payment information with these providers. We do not retain full credit card details, we only save your name and the last 4 digits of the credit card number. We may use your account data for payment-related matters, including but not limited to sending you emails, invoices, receipts, notices of delinquency, and alerts to update payment information. The legal basis of these processing activities is the necessity to the execution of the contract to provide the Services. In order to respect the principle of data minimisation, we reserve our right to remove payment information from our systems that is no longer valid, without notice.
  3. Data disclosure We will only disclose the limited user data we possess if we are legally obligated to do so by a binding request coming from the competent EU authorities. We may comply with electronically delivered notices only when they are delivered in full compliance with the requirements of EU law.
  4. Your privacy rights at Scrutineer Through your Account interface, you can directly access, edit, delete, or export personal data processed by the Company in your use of the Services. If your Account has been suspended for a breach of our terms and conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support team. In case of violation of your rights, you have the right to lodge a complaint to the competent supervisory authority.
  5. Modifications to Privacy Policy Within the limits of applicable law, the Company reserves the right to review and change this Privacy Policy at any time. As long as you are using the Services, you are responsible for regularly reviewing this Privacy Policy. Continued use of the Services after such changes are performed shall constitute your consent to it.