Code Signing
tag: [Engineer/Developer, Security Specialist]
Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some best practices that could be followed:
- Ensure all Pull Requests (PRs) are signed with the user’s GPG key.
- Every PR must be reviewed by another core team member before being merged into the stable/main/master branch, with github settings set to reflect this.
- Require Multi-Factor Authentication (MFA) for all users where applicable and available. Encourage the use of hardware MFA such as Yubikeys.
- Rotate GPG keys regularly to mitigate the risk of key compromise.
- Maintain clear documentation on the code signing procedures for your team members.