Google announced the formation of the first stable releases of the components that form the Sigstore project, which is declared suitable for creating working implementations. Sigstore develops tools and services for software verification using digital signatures and maintaining a public log confirming the authenticity of changes (transparency log). The project is being developed under the auspices of the non-profit organization Linux Foundation by Google, Red Hat, Cisco, vmWare, GitHub and HP Enterprise with the participation of OpenSSF (Open Source Security Foundation) and Purdue University.
Sigstore can be thought of as a Let's Encrypt for code, providing certificates for digitally signing code and tools for automating verification. With Sigstore, developers can digitally sign application-related artifacts such as release files, container images, manifests, and executables. The material used for signing is reflected in a tamper-proof public log that can be used for verification and auditing.
Instead of permanent keys, Sigstore uses short-lived ephemeral keys that are generated based on the credentials verified by OpenID Connect providers (at the time of generating the keys necessary to create a digital signature, the developer identifies himself through the OpenID provider with email binding). The authenticity of the keys is verified by a public centralized log, which allows you to make sure that the author of the signature is exactly who he claims to be, and the signature was formed by the same participant that was responsible for past releases.
The readiness of Sigstore for implementation is due to the formation of releases of two key components - Rekor 1.0 and Fulcio 1.0, whose programming interfaces are declared stable and henceforth retaining backward compatibility. The service components are written in Go and distributed under the Apache 2.0 license.
The Rekor component contains a log implementation for storing digitally signed metadata that reflects information about projects. To ensure integrity and protection against data corruption, a Merkle Tree tree structure is used in which each branch verifies all underlying branches and nodes through joint (tree) hashing. Having a final hash, the user can verify the correctness of the entire history of operations, as well as the correctness of the past states of the database (the root verification hash of the new state of the database is calculated taking into account the past state). A RESTful API is provided for verifying and adding new records, as well as a command line interface.
The Fulcio component (SigStore WebPKI) includes a system for creating certificate authorities (root CAs) that issue short-lived certificates based on email authenticated via OpenID Connect. The lifetime of the certificate is 20 minutes, during which the developer must have time to generate a digital signature (if the certificate falls into the hands of an attacker in the future, it will already be expired). Additionally, the project develops the Cosign (Container Signing) toolkit, designed to generate signatures for containers, verify signatures and place signed containers in repositories compatible with OCI (Open Container Initiative).
The introduction of Sigstore makes it possible to increase the security of software distribution channels and protect against attacks aimed at substituting libraries and dependencies (supply chain). One of the key security issues in open source software is the difficulty of verifying the source of the program and verifying the build process. For example, most projects use hashes to check the integrity of a release, but often the information necessary for authentication is stored on unprotected systems and in shared repositories with code, as a result of which, if compromised, attackers can replace the files necessary for verification and, without arousing suspicion, introduce malicious changes.
The use of digital signatures for release verification has not yet become widespread due to difficulties in key management, distribution of public keys, and revocation of compromised keys. In order for verification to make sense, it is additionally required to organize a reliable and secure process for distributing public keys and checksums. Even with a digital signature, many users ignore verification because it takes time to learn the verification process and understand which key is trustworthy. The Sigstore project is trying to simplify and automate these processes by providing a ready-made and proven solution.
Source: opennet.ru