Master Thesis: Root of Trust for Signed Commits in Version Control Systems

Master Thesis: Root of Trust for Signed Commits in Version Control Systems

Brief description

Git - an example of a Version Control System (VCS) - provides its users with the possibility of Signed Commits (SC) using GPG signatures. SC are useful for establishing strong guarantees of integrity, authorship, non-repudiation and auditability of source code. These properties are highly desirable when developing high assurance products. Additionally the following features are also desirable in a SC enabled VCS system: Write Access Control, Write Access Management and GPG Identity Revocation.


Available fall 2020


The purpose of this thesis is to theoretically investigate and practically develop a system which makes use of SC based on GPG signature. The aim is to answer the following research questions:

  1. How can SC be used to guarantee that only explicitly permitted GPG identities are allowed to push commits in a specific VCS repository?
  2. What is a good Root of Trust (ROT) for organization global GPG identities to be strongly tied to a specific individual?
  3. How can organization global GPG identities be securely managed with a low amount of overhead and with as little need as possible for administrators or other VIPs to get involved?
  4. How can the permissions of (question 1) be flexibly and securely managed with low overhead, on a per repository basis?
  5. How can organization global GPG identities be securely revoked without the need for local administration of all VCS repositories.
  6. How can the validity of past signatures be maintained after revocation?
  7. What are good procedures for repository audits of GPG signature correctness?
  8. How should VSC-hooks be designed to prevent user mistakes from propagating into VCS repositories.

Preferred areas of knowledge/interest

  • Security Protocols
  • Ring/web of trust
  • Git and other VCSs
  • DevOps

Or, know someone who would be a perfect fit? Let them know!

Headquarter - Malmö

Roskildevägen 1
211 47 Malmö Directions +46 (0)40 60 80 400

What can we offer you?

We grow and find ourselves in a strong expansive phase and can offer a stimulating, creative and exciting challenge to you. Our employees are the company´s strength and driving force and we encourage independent thinking and personal development.


  • Value driven organisation

    Our four values form the cornerstones for our expansion; togetherness, professionalism, initiative and integrity.

  • Attract the best employees

    In our expansion we have a great need for skilled and competent employees who also contribute with their commitment and engagement for the colleagues. By building the right team with the right attitude, we can reach our goals.

  • Health and work environment

    We as an employer must meet our employees in all different stages in their careers and private situation, thereby creating the right conditions for working optimally. Working proactive about health and working life balance is crucial for us.

  • Personal development

    You as an employee has a responsibility for your personal development working for us. Together with a clear leadership we give you the right possibilities to develop as a person and in your professional role.

Workplace and culture

Our attitude is that we together make a difference and create results, no matter where in the organisation you are, it is always about teamwork. Our ambition is to become one of the best employers in the digital security segment.

Already working at Advenica AB?

Let’s recruit together and find your next colleague.


Applicant tracking system by Teamtailor