Sign the commits and/or tags on Bitwarden's Github repositories

Feature Requests Password Manager
1

Background:
When a malicious party gains access to Bitwarden’s developer accounts, the party has the potential ability to publish arbitrary code as “updates” on the Bitwarden repositories (Github) or distribution channels (Firefox Addons/Chrome Web Store/…), potentially compromising the entire security of this application for a lot of users. This is why securing developer accounts should be one of the highest priorities of the Bitwarden Team.

Problem Description:
A strong password and 2FA are good measures to secure developer accounts. With Git and Github, there is an additional possibility: Signing git commits and/or tags with a GPG key that is kept locally on the developer’s device. This security feature is described here. Signed commits and tags add another layer of security to code publishing, making sure that nobody has taken over Bitwarden’s Github account. With signed tags, we can verify that releases are approved/signed by the Bitwarden Team. People who have doubts about the security of the extension update mechanisms of their browser / worry about potential account compromises could check out the latest signed release from Github and compile the browser extension themselves.

2b66cea4-ce8c-40c5-8464-39a988cdbb2c
2b66cea4-ce8c-40c5-8464-39a988cdbb2c448×348 38.2 KB

Feature Request:
The Bitwarden Team should always sign commits or at the least sign the release tags on Github for increased security.

2

@Qwby That’s a very good one. I didn’t notice the Verified sign before on github.

3

If an attacker gained access to the dev’s account, he could add his public gpg key to the dev’s account and push commit that would be marked as verified too, so the verified badge is not enough : you also need to take a look at the key id

4

You’re right, now that I’ve read more into it I’m not so sure anymore that this improves security by a lot, in this case.

The main benefit seems to be to prevent that someone can push a commit with an arbitrary user.name and user.email in their .gitconfig without having a proof that proves the identity is correct. For this to happen, the attacker needs write access to the repository, and if that has happened, something went seriously wrong in the first place.

So, it may be a problem with bigger repositories with lots of people having write access and then someone tries to impersonate somebody else. Though having everything being pull requests with manual review seems to pretty much eliminate this possibility.

I’m not an expert on security myself and open for discussion, my initial thought was just that this is suggested by Github, so why not use it, right? But I agree we have to look at where this would add additional security, otherwise this would just be unnecessary.

1 Like
5

Stale