{"id":15837858,"url":"https://github.com/sambacha/gitsz","last_synced_at":"2026-01-20T13:01:42.413Z","repository":{"id":38299926,"uuid":"307932756","full_name":"sambacha/gitsz","owner":"sambacha","description":"deterministic and secure source artifact creation process for git archive and git tag","archived":false,"fork":false,"pushed_at":"2023-04-28T17:58:30.000Z","size":474,"stargazers_count":1,"open_issues_count":2,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-19T19:31:58.666Z","etag":null,"topics":["artifact","git","git-secure-tag","git-tag","git-tools","git-workflow","gitsz","source","tag"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sambacha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-28T07:02:43.000Z","updated_at":"2021-12-15T04:43:14.000Z","dependencies_parsed_at":"2024-10-30T06:15:33.663Z","dependency_job_id":null,"html_url":"https://github.com/sambacha/gitsz","commit_stats":{"total_commits":62,"total_committers":4,"mean_commits":15.5,"dds":"0.30645161290322576","last_synced_commit":"8e2d9cec60ae2d5c516955dd0615d3c2fc96faf1"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/sambacha/gitsz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fgitsz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fgitsz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fgitsz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fgitsz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sambacha","download_url":"https://codeload.github.com/sambacha/gitsz/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fgitsz/sbom","scorecard":{"id":797091,"data":{"date":"2025-08-11","repo":{"name":"github.com/sambacha/gitsz","commit":"8e2d9cec60ae2d5c516955dd0615d3c2fc96faf1"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.3,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/19 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/sambacha/gitsz/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/sambacha/gitsz/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/sambacha/gitsz/ci.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:32","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v3.1.0 not signed: https://api.github.com/repos/sambacha/gitsz/releases/51853085","Warn: release artifact v3.1.0 does not have provenance: https://api.github.com/repos/sambacha/gitsz/releases/51853085"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'","Warn: branch protection not enabled for branch 'trunk'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"12 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T09:19:12.478Z","repository_id":38299926,"created_at":"2025-08-23T09:19:12.478Z","updated_at":"2025-08-23T09:19:12.478Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28603404,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T12:01:53.233Z","status":"ssl_error","status_checked_at":"2026-01-20T12:01:46.545Z","response_time":117,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifact","git","git-secure-tag","git-tag","git-tools","git-workflow","gitsz","source","tag"],"created_at":"2024-10-05T15:42:04.835Z","updated_at":"2026-01-20T13:01:42.381Z","avatar_url":"https://github.com/sambacha.png","language":"JavaScript","readme":"# [gitsz](#)\n\n\u003e git secure tag \n\n\n[![ci](https://github.com/sambacha/gitsz/actions/workflows/ci.yml/badge.svg)](https://github.com/sambacha/gitsz/actions/workflows/ci.yml)\n\n## Abstract\n\n\u003e `$GIT_TAG` should be the primary artifact\n\nWith the current design, it is necessary to use Git to clone the\nrepository and use Git to walk the trees. This means that Git is exposed\nto untrusted data before the signature is verified, making it part of\nthe TCB (Trusted Computing Base).\n\n\u003e This is not desirable because Git has a large footprint in the\n\u003e engineering ecosystem\n\nAt least, the recommended steps should verify the signature before a\ncheckout is performed (which is probably the most risky operation\nbecause it involves partially attacker-controlled file system\noperations).\n\nThe point of signing a `git` commit is to authenticate history to future\nconsumers so the fact that history was _tampered with deliberately_\nneeds to be preserved in the signature because it is possible to alter\nthe exact semantics/content of the commit.\n\n\u003e `git` uses SHA-1 hashes when signing tag. SHA-1 is generally\n\u003e deprecated and is not a collision-safe anymore (though, **collisions\n\u003e are yet to come** pre-image attack is yet to come).\n\n### Replacing tarballs\n\nWhat gitsz (i.e. git-evtag) implements is an algorithm for providing a\nstrong checksum over the complete source objects for the target:\n\n```diff\n    -commit (- trees - blobs - submodules)\n    +commit (+ trees + blobs + submodules)\n```\n\nThen it’s integrated with GPG for end-to-end verification. (Although,\none could also wrap the checksum in X.509 or some other public/private\nsignature solution).\n\nThis is similar to what project distributors often accomplish by using\ngit archive, or make dist, or similar tools to generate a tarball, and\nthen checksumming that, and (ideally) providing a GPG signature covering\nit.\n\nIf the checksum is not reproducible, it becomes much more difficult to\neasily and reliably verify that a generated tarball contains the same\nsource code as a particular git commit.\n\n#### Cannonical Git Commit\n\n```bash\n    $ GIT_AUTHOR_DATE=\"Thu, 01 Jan 1970 00:00:00 +0000\" GIT_COMMITTER_DATE=\"Thu, 01 Jan 1970 00:00:00 +0000\" git commit --allow-empty -m 'Initial commit'\n```\n\n#### Usage\n\n```bash\n    Usage: gitsz [-s | -u \u003ckeyid\u003e] [-m \u003cmsg\u003e]\n                          \u003ctagname\u003e [\u003ccommit\u003e | \u003cobject\u003e]\n\n    Commands:\n      hash  print hash of repository contents\n\n    Options:\n      -v, --verify  Verify the gpg signature of a given tag                [boolean]\n      --insecure    Do not sign the tag                                    [boolean]\n      -h, --help    Show help                                              [boolean]\n```\n\n##### generate tag\n\n`gitsz -s v2.5.0`\n\n###### verify tag\n\n```bash\n    $ gitsz -v v2.5.0\n    gpg: Signature made Wed Oct 28 00:16:58 2020 PDT\n    gpg:                using RSA key C00B2090F23C5629029111CBF5D2A7216C51FB94\n    gpg: Good signature from \"sam bacha \u003csam@freighttrust.com\u003e\" [ultimate]\n    gpg:                 aka \"Freight Trust Corp \u003csam@freighttrust.com\u003e\" [ultimate]\n    Good Git-EVTag-v0-SHA512 hash\n```\n\n##### gitsz\n\n```bash\n    $ gitsz hash\n    bdf3cd8f2a4e29a5cf86cbd7fe815583b0e78b4efe4759fc7204b5dfb6fb928fde138f7fcfcae19e241b25d210b3c3147cb7b5327654ae3dd1ae02d4908e4671\n```\n\n### Reference Case Study\n\n[github/sambacha/BPBDTL/commit/21687a1a7d5f3c26e9c06fa23547fca4a09178a2](https://github.com/sambacha/BPBDTL/commit/21687a1a7d5f3c26e9c06fa23547fca4a09178a2)\n\n- In this scenario, I signed a commit at approx. 0 UNIX EPOCH time\n  using another user’s credentials, and by credentials I mean just\n  using their `email@address` and `user name`. No other passwords,\n  etc, is required. Although GitHub does not say `verified` for the\n  commit, it displays the user’s avatar, and may be overlooked without\n  more careful examination.\n\n### Implementation\n\n`gitsz` runs `cat-file` recursively for each entry (sorted\nalphabetically), enters submodules (if present), and hashes\nfile/directory names, file contents, and submodules (recursively again)\ninto a resulting `Git-EVTag-v0-SHA512: ...` SHA512 digest.\n\n## Installation\n\n    npm install -g gitsz\n\n## Usage\n\n    # Sign\n    gitsz v1.20.7 -m \"My tag annotation\"\n\n    # Verify\n    gitsz -v v1.20.7\n\n## Implementation and Contributors\n\nFork from [https://github.com/indutny/git-secure-tag](https://github.com/indutny/git-secure-tag)\n\nLargely inspired by: [@gwalters/git-evtag](https://github.com/cgwalters/git-evtag)\n\nFedor Indutny, 2016.\n\n## License\n\nSPDX-License-Identifier: MIT\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Fgitsz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsambacha%2Fgitsz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Fgitsz/lists"}