I-Red Hat kunye ne-Google, kunye neYunivesithi yasePurdue, yaseka iprojekthi yeSigstore, ejoliswe ekudaleni izixhobo kunye neenkonzo zokuqinisekisa isofthiwe usebenzisa iisignesha zedijithali kunye nokugcina ilogi yoluntu ukuqinisekisa ubunyani (ilog ecacileyo). Le projekthi iza kuphuhliswa phantsi kwenkxaso yombutho ongenzi nzuzo iLinux Foundation.
Iprojekthi ecetywayo iya kuphucula ukhuseleko lwamajelo okusasazwa kwesoftware kwaye ikhusele ekuhlaselweni okujolise ekutshintsheni amacandelo esoftware kunye nokuxhomekeka (ikhonkco lokubonelela). Enye yeengxaki eziphambili zokhuseleko kwisoftware yomthombo ovulekileyo bubunzima bokuqinisekisa umthombo wenkqubo kunye nokuqinisekisa inkqubo yokwakha. Ngokomzekelo, ezininzi iiprojekthi zisebenzisa i-hashes ukuqinisekisa ukunyaniseka kokukhululwa, kodwa kaninzi ulwazi oluyimfuneko ekuqinisekiseni lugcinwa kwiinkqubo ezingakhuselekanga nakwiindawo zokugcina iikhowudi ekwabelwana ngazo, ngenxa yoko abahlaseli banokubeka esichengeni iifayile eziyimfuneko ukuze kuqinisekiswe kwaye bazise utshintsho olubi. ngaphandle kokwenza urhano.
Kuphela inxalenye encinci yeeprojekthi zisebenzisa iisignesha zedijithali xa usasaza ukukhutshwa ngenxa yobunzima bokulawula izitshixo, ukuhambisa izitshixo zoluntu, kunye nokurhoxisa izitshixo ezithotyiweyo. Ukuze ukuqinisekiswa kube nengqiqo, kuyafuneka ukuba uququzelele inkqubo ethembekileyo nekhuselekileyo yokuhambisa izitshixo zoluntu kunye neetshekhi. Nokuba utyikityo lwedijithali, abasebenzisi abaninzi bayakuhoya ukuqinisekiswa kuba kufuneka bachithe ixesha befunda inkqubo yokuqinisekisa kunye nokuqonda ukuba leliphi iqhosha elithembekileyo.
I-Sigstore ithathwa njengelingana ne-Let Encrypt for code, ibonelela ngezatifikethi zekhowudi yokusayina ngokwedijithali kunye nezixhobo zokuqinisekisa okuzenzekelayo. NgeSigstore, abaphuhlisi banokutyikitya ngokwedijithali izinto zakudala ezinxulumene nesicelo ezifana neefayile zokukhulula, imifanekiso yesikhongozeli, imiboniso, kunye nezinto eziphunyezwayo. Isici esikhethekileyo seSigstore kukuba izinto ezisetyenziselwa ukusayina zibonakaliswe kwi-log yoluntu engabonakaliyo engasetyenziselwa ukuqinisekiswa kunye nophicotho.
Esikhundleni sezitshixo ezisisigxina, i-Sigstore isebenzisa izitshixo ze-ephemeral ezifutshane, ezenziwe ngokusekelwe kwiimqinisekiso eziqinisekiswe ngababoneleli be-OpenID Connect (ngexesha lokuvelisa izitshixo zesignesha yedijithali, umphuhlisi uyazichaza ngomboneleli we-OpenID edityaniswe ne-imeyile). Ubunyani bezitshixo buqinisekiswa kusetyenziswa i-log yoluntu ephakathi, eyenza kube nokwenzeka ukuba kuqinisekiswe ukuba umbhali wesiginitsha nguye kanye athi ungubani kwaye utyikityo lwenziwa ngumthathi-nxaxheba ofanayo owayenoxanduva lokukhutshwa kwexesha elidlulileyo.
I-Sigstore inikezela ngenkonzo esele ilungile onokuthi uyisebenzise, ββkunye neseti yezixhobo ezikuvumela ukuba usebenzise iinkonzo ezifanayo kwisixhobo sakho. Inkonzo isimahla kubo bonke abaphuhlisi kunye nababoneleli besoftware, kwaye ibekwe kwiqonga elingathathi hlangothi - iSiseko seLinux. Zonke iinxalenye zenkonzo ziyimithombo evulekileyo, ebhalwe kwi-Go kwaye isasazwe phantsi kwelayisensi ye-Apache 2.0.
Phakathi kwamacandelo aphuhlisiweyo sinokuqaphela:
- I-Rekor kukuphunyezwa kwelog yokugcina imetadata esayiniweyo ngokwedijithali ebonisa ulwazi malunga neeprojekthi. Ukuqinisekisa ukuthembeka kunye nokukhusela kwinkohlakalo yedatha emva kwenyani, isakhiwo esifana nomthi "i-Merkle Tree" sisetyenzisiweyo, apho isebe ngalinye liqinisekisa onke amasebe angaphantsi kunye nama-nodes, ngenxa ye-joint (efana nomthi) i-hashing. Ukuba ne-hash yokugqibela, umsebenzisi unokuqinisekisa ukuchaneka kwayo yonke imbali yokusebenza, kunye nokuchaneka kweemeko ezidlulileyo zesiseko sedatha (i-hash yokuqinisekisa ingcambu yesimo esitsha sesiseko sedatha ibalwa kuthathelwa ingqalelo imeko yangaphambili. ). Ukuqinisekisa kunye nokongeza iirekhodi ezintsha, i-API yokuphumla inikezelwa, kunye ne-cli interface.
- I-Fulcio (i-SigStore WebPKI) yinkqubo yokudala amagunya esiqinisekiso (i-Root-CAs) ekhupha izatifikethi zexesha elifutshane ezisekelwe kwi-imeyile eqinisekisiwe nge-OpenID Connect. Ubomi besatifikethi yimizuzu engama-20, apho umthuthukisi kufuneka abe nexesha lokuvelisa isignesha yedijithali (ukuba isatifikethi kamva siwela ezandleni zomhlaseli, siya kuba siphelelwe yisikhathi).
- I-Π‘osign (iSikhongozeli sokuSayina) sisixhobo sokwenza utyikityo lwezikhongozeli, ukuqinisekiswa kotyikityo kunye nokubeka izikhongozeli ezisayiniweyo kwiindawo zokugcina ezihambelana ne-OCI (Inyathelo leSikhongozeli esiVulekileyo).
umthombo: opennet.ru