Red Hat neGoogle, pamwe chete nePurdue University, vakatanga chirongwa cheSigstore, chakanangana nekugadzira maturusi nemasevhisi ekusimbisa software uchishandisa siginecha yedhijitari uye kuchengetedza danda reruzhinji kuratidza chokwadi (transparency log). Iyo purojekiti ichagadziriswa pasi pehurongwa hwesangano risingabatsiri reLinux Foundation.
Iyo purojekiti yakarongwa ichavandudza kuchengetedzeka kwesoftware yekuparadzira nzira uye kudzivirira kubva mukurwiswa kwakanangana nekutsiva software zvikamu uye zvinoenderana (supply chain). Imwe yematambudziko akakosha ekuchengetedza mune yakavhurika sosi software kuomerwa kwekuona kwakabva chirongwa uye kuona maitiro ekuvaka. Semuenzaniso, mapurojekiti mazhinji anoshandisa hashes kuratidza kutendeseka kwekuburitswa, asi kazhinji ruzivo rwunodiwa kuti ruvimbiswe rwunochengetwa pane asina kuchengetedzwa masisitimu uye mune yakagovaniswa kodhi repositori, semhedzisiro iyo vanorwisa vanogona kukanganisa mafaera anodiwa kuti aonekwe uye kuunza shanduko yakaipa. pasina kumutsa kufungirana.
Chete chikamu chidiki chemapurojekiti chinoshandisa siginecha yedhijitari kana ichigovera kuburitswa nekuda kwekuomerwa mukugadzirisa makiyi, kugovera makiyi eruzhinji, uye kudzoreredza makiyi akakanganiswa. Kuti kuoneswa kuve nemusoro, zvinodikanwawo kuronga nzira yakavimbika uye yakachengeteka yekugovera makiyi eruzhinji uye cheki. Kunyangwe iine siginecha yedhijitari, vashandisi vazhinji vanofuratira kusimbiswa nekuti ivo vanofanirwa kupedza nguva vachidzidza maitiro ekusimbisa uye kunzwisisa kuti ndeipi kiyi inovimbika.
Sigstore inoratidzwa seyakaenzana neRega Encrypt yekodhi, ichipa zvitupa zvedhijitari kusaina kodhi uye maturusi e automating verification. NeSigstore, vanogadzira vanogona kusaina zvimisikidzo zvine chekuita nekushandisa senge mafaera ekuburitsa, mifananidzo yemidziyo, zviratidziro, uye zvinogoneka. Chinhu chakakosha cheSigstore ndechekuti zvinhu zvinoshandiswa kusaina zvinoratidzwa mune tamper-proof yeruzhinji log iyo inogona kushandiswa kuongororwa uye kuongororwa.
Panzvimbo pemakiyi echigarire, Sigstore inoshandisa ephemeral makiyi enguva pfupi, ayo anogadzirwa zvichienderana nehunhu hwakasimbiswa neOpenID Connect vanopa (panguva yekugadzira makiyi edhijitari siginicha, mugadziri anozvizivisa kuburikidza nemupi weOpenID akabatana neemail). Huchokwadi hwemakiyi hunosimbiswa pachishandiswa veruzhinji centralized log, izvo zvinoita kuti zvikwanisike kuona kuti munyori wesignature ndiye waanozviti ndiye uye siginicha yakaumbwa nemutori wechikamu mumwechete aive nemhosva yekuburitswa kwakapfuura.
Sigstore inopa ese ari maviri akagadzirira-akagadzirwa sevhisi yaungatoshandisa, uye seti yezvishandiso zvinokutendera kuti uendese masevhisi akafanana pamidziyo yako wega. Iyo sevhisi ndeyemahara kune vese vanogadzira uye vanopa software, uye inoiswa panzvimbo isina kwayakarerekera - iyo Linux Foundation. Zvese zvikamu zvesevhisi zvakavhurika sosi, zvakanyorwa muGo uye zvakagoverwa pasi peiyo Apache 2.0 rezinesi.
Pakati pezvakagadzirwa zvikamu tinogona kuona:
- Rekor ndeyekuitwa kwelogi yekuchengetedza metadata yakasainwa inoratidza ruzivo nezve mapurojekiti. Kuve nechokwadi chekutendeseka uye kudzivirira kubva kune huwori hwe data mushure mechokwadi, chimiro chakafanana nemuti "Merkle Tree" chinoshandiswa, umo bazi rega rega rinosimbisa matavi ese ari pasi uye node, nekuda kwekubatana (muti-kufanana) hashing. Kuve nehashi yekupedzisira, mushandisi anogona kuona kurongeka kwenhoroondo yese yekushanda, pamwe nekurongeka kwenzvimbo dzakapfuura dzedhatabase (iyo midzi yekuongorora hash yemamiriro matsva edhatabhesi inoverengerwa uchifunga nezve mamiriro apfuura. ) Kuti uone uye uwedzere marekodhi matsva, Restful API inopihwa, pamwe neiyo cli interface.
- Fulcio (SigStore WebPKI) igadziriro yekugadzira zviremera zvetifiketi (Root-CAs) inopa zvitupa zvenguva pfupi zvichibva pane email yakasimbiswa kuburikidza neOpenID Connect. Hupenyu hwechitupa maminetsi makumi maviri, panguva iyo mugadziri anofanirwa kuve nenguva yekugadzira siginecha yedhijitari (kana chitupa chikazowira mumaoko eanorwisa, inenge yatopera kare).
- Π‘osign (Container Kusaina) chishandiso chekugadzira masiginecha emidziyo, yekuona masiginicha uye nekuisa midziyo yakasainwa mumarepositori inoenderana neOCI (Open Container Initiative).
Source: opennet.ru