Red Hat naGoogle, pamwe chete nePurdue University, vakatanga chirongwa cheSigstore, icho chine chinangwa chekugadzira maturusi nemasevhisi ekusimbisa software vachishandisa masiginecha edhijitari uye kuchengetedza gwaro reruzivo rweveruzhinji. Chirongwa ichi chichagadzirwa pasi pesangano risiri repurofiti. Linux Nheyo.
Iyo purojekiti yakarongwa ichavandudza kuchengetedzeka kwesoftware yekuparadzira nzira uye kudzivirira kubva mukurwiswa kwakanangana nekutsiva software zvikamu uye zvinoenderana (supply chain). Imwe yematambudziko akakosha ekuchengetedza mune yakavhurika sosi software kuomerwa kwekuona kwakabva chirongwa uye kuona maitiro ekuvaka. Semuenzaniso, mapurojekiti mazhinji anoshandisa hashes kuratidza kutendeseka kwekuburitswa, asi kazhinji ruzivo rwunodiwa kuti ruvimbiswe rwunochengetwa pane asina kuchengetedzwa masisitimu uye mune yakagovaniswa kodhi repositori, semhedzisiro iyo vanorwisa vanogona kukanganisa mafaera anodiwa kuti aonekwe uye kuunza shanduko yakaipa. pasina kumutsa kufungirana.
Chete chikamu chidiki chemapurojekiti chinoshandisa siginecha yedhijitari kana ichigovera kuburitswa nekuda kwekuomerwa mukugadzirisa makiyi, kugovera makiyi eruzhinji, uye kudzoreredza makiyi akakanganiswa. Kuti kuoneswa kuve nemusoro, zvinodikanwawo kuronga nzira yakavimbika uye yakachengeteka yekugovera makiyi eruzhinji uye cheki. Kunyangwe iine siginecha yedhijitari, vashandisi vazhinji vanofuratira kusimbiswa nekuti ivo vanofanirwa kupedza nguva vachidzidza maitiro ekusimbisa uye kunzwisisa kuti ndeipi kiyi inovimbika.
Sigstore inoratidzwa seyakaenzana neRega Encrypt yekodhi, ichipa zvitupa zvedhijitari kusaina kodhi uye maturusi e automating verification. NeSigstore, vanogadzira vanogona kusaina zvimisikidzo zvine chekuita nekushandisa senge mafaera ekuburitsa, mifananidzo yemidziyo, zviratidziro, uye zvinogoneka. Chinhu chakakosha cheSigstore ndechekuti zvinhu zvinoshandiswa kusaina zvinoratidzwa mune tamper-proof yeruzhinji log iyo inogona kushandiswa kuongororwa uye kuongororwa.
Panzvimbo pemakiyi echigarire, Sigstore inoshandisa ephemeral makiyi enguva pfupi, ayo anogadzirwa zvichienderana nehunhu hwakasimbiswa neOpenID Connect vanopa (panguva yekugadzira makiyi edhijitari siginicha, mugadziri anozvizivisa kuburikidza nemupi weOpenID akabatana neemail). Huchokwadi hwemakiyi hunosimbiswa pachishandiswa veruzhinji centralized log, izvo zvinoita kuti zvikwanisike kuona kuti munyori wesignature ndiye waanozviti ndiye uye siginicha yakaumbwa nemutori wechikamu mumwechete aive nemhosva yekuburitswa kwakapfuura.
Sigstore inopa sevhisi yakagadzirira kushandiswa pamwe neseti yezvishandiso zvekushandisa masevhisi akafanana pahardware yako wega. Sevhisi iyi ndeyemahara kune vese vanogadzira software nevanopa software uye inoiswa papuratifomu isina kwayakarerekera. Linux Nheyo. Zvikamu zvese zvebasa zvakavhurika, zvakanyorwa muGo, uye zvinogoverwa pasi perezinesi reApache 2.0.
Pakati pezvakagadzirwa zvikamu tinogona kuona:
- Rekor ndeyekuitwa kwelogi yekuchengetedza metadata yakasainwa inoratidza ruzivo nezve mapurojekiti. Kuve nechokwadi chekutendeseka uye kudzivirira kubva kune huwori hwe data mushure mechokwadi, chimiro chakafanana nemuti "Merkle Tree" chinoshandiswa, umo bazi rega rega rinosimbisa matavi ese ari pasi uye node, nekuda kwekubatana (muti-kufanana) hashing. Kuve nehashi yekupedzisira, mushandisi anogona kuona kurongeka kwenhoroondo yese yekushanda, pamwe nekurongeka kwenzvimbo dzakapfuura dzedhatabase (iyo midzi yekuongorora hash yemamiriro matsva edhatabhesi inoverengerwa uchifunga nezve mamiriro apfuura. ) Kuti uone uye uwedzere marekodhi matsva, Restful API inopihwa, pamwe neiyo cli interface.
- Fulcio (SigStore WebPKI) igadziriro yekugadzira zviremera zvetifiketi (Root-CAs) inopa zvitupa zvenguva pfupi zvichibva pane email yakasimbiswa kuburikidza neOpenID Connect. Hupenyu hwechitupa maminetsi makumi maviri, panguva iyo mugadziri anofanirwa kuve nenguva yekugadzira siginecha yedhijitari (kana chitupa chikazowira mumaoko eanorwisa, inenge yatopera kare).
- Сosign (Container Kusaina) chishandiso chekugadzira masiginecha emidziyo, yekuona masiginicha uye nekuisa midziyo yakasainwa mumarepositori inoenderana neOCI (Open Container Initiative).
Source: opennet.ru
