Signed Git commits with Sigstore, Gitsign and OIDC

This article discusses how to use Sigstore and Gitsign with Buildkite OpenID Connect (OIDC) to sign commits created as part of automation flows, making it possible to prove which Buildkite pipeline created a commit. It explains why signing Git commits is important for validating the identity of the signer and reducing the risk of unauthorized code changes. The article also provides a toolkit consisting of OIDC, Sigstore, and Gitsign, along with detailed instructions on how to sign commits in Buildkite. Finally, it emphasizes the importance of cryptographically signing automatically generated Git commits for increased security and traceability in software supply chains.