I-Google imemezele ukwakhiwa kokukhishwa kokuqala okuzinzile kwezingxenye ezakha iphrojekthi ye-Sigstore, okuthiwa ilungele ukudala ukuqaliswa kokusebenza. I-Sigstore ithuthukisa amathuluzi namasevisi okuqinisekisa isofthiwe isebenzisa amasiginesha edijithali futhi igcina ilogi yomphakathi eqinisekisa ubuqiniso bezinguquko (ilogi ebonisa ngale). Le phrojekthi ithuthukiswa ngaphansi kwenhlangano engenzi nzuzo i-Linux Foundation yi-Google, i-Red Hat, i-Cisco, i-vmWare, i-GitHub ne-HP Enterprise ngokubamba iqhaza kwe-OpenSSF (Open Source Security Foundation) kanye neNyuvesi yase-Purdue.
I-Sigstore ingacatshangwa njenge-analogue ye-Let's Bethela ukuze uthole ikhodi, ehlinzeka ngezitifiketi zekhodi yokusayina ngekholi kanye namathuluzi okuqinisekisa okuzenzakalelayo. Nge-Sigstore, abathuthukisi bangasayina ngedijithali ama-artifact ahlobene nohlelo lokusebenza njengamafayela okukhipha, izithombe zesiqukathi, ama-manifest, kanye nokusebenzisekayo. Okubalulekile kwesiginesha kubonakala kulogi yomphakathi engaphazanyiswa engasetshenziselwa ukuqinisekiswa nokuhlolwa.
Esikhundleni sokhiye baphakade, i-Sigstore isebenzisa okhiye besikhashana besikhathi esifushane, abakhiqizwa ngokusekelwe emininingwaneni eqinisekiswe abahlinzeki be-OpenID Connect (ngesikhathi sokukhiqiza okhiye abadingekayo ukuze kudalwe isiginesha yedijithali, umthuthukisi uzibonakalisa esebenzisa umhlinzeki we-OpenID oxhunywe i-imeyili). Ubuqiniso bokhiye buqinisekiswa kusetshenziswa ilogi ephakathi komphakathi, okwenza kube nokwenzeka ukuqinisekisa ukuthi umbhali wesiginesha uyilowo azishoyo ukuthi ungubani, futhi isiginesha yenziwe ngumhlanganyeli ofanayo owayenomthwalo wemfanelo wokukhishwa kwangaphambilini.
Ukulungela ukuqaliswa kwe-Sigstore kungenxa yokwakhiwa kokukhishwa kwezingxenye ezimbili ezibalulekile - i-Rekor 1.0 ne-Fulcio 1.0, izixhumanisi zesofthiwe okumenyezelwa ukuthi zizinzile futhi zizoqhubeka zihambisana emuva. Izingxenye zesevisi zibhalwe ku-Go futhi zisatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0.
Ingxenye ye-Rekor iqukethe ukuqaliswa kwelogi yokugcina imethadatha esayiniwe ngedijithali ebonisa ulwazi olumayelana namaphrojekthi. Ukuqinisekisa ubuqotho nokuvikela ekukhohlakaleni kwedatha ngemva kweqiniso, kusetshenziswa isakhiwo sesihlahla se-Merkle Tree, lapho igatsha ngalinye liqinisekisa wonke amagatsha namanodi angaphansi ngokusebenzisa i-hashing ehlangene (yesihlahla). Ukuba ne-hashi yokugcina, umsebenzisi angaqinisekisa ukunemba kwawo wonke umlando wokusebenza, kanye nokunemba kwezimo ezidlule ze-database (i-hashi yokuqinisekisa impande yesimo esisha se-database ibalwa ngokucabangela isimo esidlule. ). I-RESTful API ihlinzekelwe ukuze kuqinisekiswe futhi kwengezwe amarekhodi amasha, kanye nesixhumi esibonakalayo somugqa womyalo.
Ingxenye ye-Fulcio (SigStore WebPKI) ihlanganisa isistimu yokudala iziphathimandla zesitifiketi (ama-CAs ezimpande) ezikhipha izitifiketi zesikhashana ezisuselwe ku-imeyili egunyazwe nge-OpenID Connect. Ukuphila kwesitifiketi imizuzu engu-20, lapho unjiniyela kufanele abe nesikhathi sokwenza isiginesha yedijithali (uma isitifiketi kamuva siwela ezandleni zomhlaseli, sizobe sesiphelelwe yisikhathi). Ukwengeza, iphrojekthi ithuthukisa ikhithi yamathuluzi ye-Cosign (Containing Signing), eklanyelwe ukwenza amasiginesha eziqukathi, iqinisekise amasiginesha futhi ibeke iziqukathi ezisayiniwe kumakhosombe ahambisana ne-OCI (Open Container Initiative).
Ukuqaliswa kwe-Sigstore kwenza kube nokwenzeka ukwandisa ukuphepha kweziteshi zokusabalalisa izinhlelo futhi kuvikelwe ekuhlaselweni okuhloswe ukufaka esikhundleni semitapo yolwazi kanye nokuncika (uchungechunge lokuhlinzeka). Enye yezinkinga eziyinhloko zokuphepha kusofthiwe yomthombo ovulekile ubunzima bokuqinisekisa umthombo wohlelo nokuqinisekisa inqubo yokwakha. Isibonelo, amaphrojekthi amaningi asebenzisa ama-hashes ukuze aqinisekise ubuqotho bokukhishwa, kodwa ngokuvamile ulwazi oludingekayo ukuze kuqinisekiswe ukuqinisekiswa lugcinwa ezinhlelweni ezingavikelekile nasezinqolobaneni zamakhodi okwabelwana ngazo, ngenxa yalokho abahlaseli bangakwazi ukufaka engozini amafayela adingekayo ukuze kuqinisekiswe futhi bangenise izinguquko ezinonya. ngaphandle kokuphakamisa izinsolo.
Ukusetshenziswa kwamasiginesha edijithali ukuze kuqinisekiswe ukukhishwa akukakasakazeki ngenxa yobunzima bokuphatha okhiye, ukusabalalisa okhiye basesidlangalaleni, kanye nokuhoxisa okhiye abasebucayini. Ukuze ukuqinisekiswa kube nengqondo, kuyadingeka futhi ukuhlela inqubo ethembekile nevikelekile yokusabalalisa okhiye basesidlangalaleni namasheke. Ngisho nesiginesha yedijithali, abasebenzisi abaningi baziba ukuqinisekiswa ngoba badinga ukuchitha isikhathi befunda inqubo yokuqinisekisa nokuqonda ukuthi yimuphi ukhiye othembekile. Iphrojekthi ye-Sigstore izama ukwenza lula nokwenza lezi zinqubo ngokuzenzakalelayo ngokunikeza isisombululo esenziwe ngomumo nesifakazelwe.
Source: opennet.ru