I-Google imemezele ukukhishwa kokuqala okuzinzile kwezingxenye ezakha iphrojekthi ye-Sigstore, okumenyezelwe ukuthi ilungele ukuthunyelwa ekukhiqizweni. I-Sigstore ithuthukisa amathuluzi nezinsizakalo zokuqinisekisa isofthiwe isebenzisa amasignesha edijithali kanye nokugcina irekhodi lomphakathi eliqinisekisa ubuqiniso bezinguquko (ilogi yokucaca). Le phrojekthi ithuthukiswa ngaphansi kwenhlangano engenzi nzuzo. Linux Isisekelo yi-Google, i-Red Hat, i-Cisco, i-vmWare, i-GitHub, kanye ne-HP Enterprise, kanye nokubamba iqhaza okuvela kwi-Open Source Security Foundation (i-OpenSSF) kanye ne-Purdue University.
I-Sigstore ingacatshangwa njenge-Let's Bethela ukuze uthole ikhodi, ihlinzeka ngezitifiketi zekhodi yokusayina ngokwedijithali namathuluzi okuqinisekisa okuzenzakalelayo. Besebenzisa i-Sigstore, abathuthukisi bangakwazi ukukhiqiza amasiginesha edijithali kuma-artifact ahlobene nohlelo lokusebenza, njengamafayela okukhishwa, izithombe zeziqukathi, ama-manifest, kanye nokusebenzisekayo. Idatha yesiginesha irekhodwa kulogi yomphakathi engaphazanyiswa engasetshenziselwa ukuqinisekiswa nokuhlolwa.
Esikhundleni sokhiye baphakade, i-Sigstore isebenzisa okhiye besikhashana be-ephemeral abakhiqizwe ngokusekelwe kuziqinisekiso eziqinisekiswe abahlinzeki be-OpenID Connect (uma ikhiqiza okhiye abadingekayo ukuze kudalwe isiginesha yedijithali, unjiniyela uyaziqinisekisa ngomhlinzeki we-OpenID oxhunywe ekhelini le-imeyili). Ubuqiniso bokhiye buqinisekiswa ngokumelene nelogi yomphakathi, ephakathi nendawo, eqinisekisa ukuthi umbhali wesiginesha ukuthi ungubani nokuthi isiginesha yenziwe ngumhlanganyeli ofanayo onesibopho sokukhishwa kwangaphambilini.
Ukulungela ukuqaliswa kwe-Sigstore kusekelwe ekukhishweni kwezingxenye ezimbili ezibalulekileāi-Rekor 1.0 kanye ne-Fulcio 1.0āama-API azo okuthiwa azinzile futhi azohlala ehambisana emuva. Izingxenye zesevisi zibhalwe ku-Go futhi zisatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0.
Ingxenye ye-Rekor iqukethe ukuqaliswa kwelogi yokugcina imethadatha esayiniwe ngedijithali ebonisa ulwazi lwephrojekthi. Ukuqinisekisa ubuqotho bedatha kanye nokuvikelwa ekukhohlakaleni kwe-retroactive, kusetshenziswa isakhiwo se-Merkle Tree, lapho igatsha ngalinye liqinisekisa wonke amagatsha namanodi angaphansi ngokusebenzisa i-hashing eyabiwe (enjengesihlahla). Nge-hashi yokugcina, umsebenzisi angaqinisekisa ukunemba kwawo wonke umlando wokwenziwe, kanye nokunemba kwezimo zesizindalwazi esidlule (i-hashi yokuqinisekisa impande yesimo sesizindalwazi esisha ibalwa kucatshangelwa isimo sangaphambilini). I-RESTful API kanye nesixhumi esibonakalayo somugqa womyalo kunikezwa ukuze kuqinisekiswe futhi kwengezwe amarekhodi amasha.
Ingxenye ye-Fulcio (SigStore WebPKI) ihlanganisa isistimu yokudala iziphathimandla zesitifiketi (ama-CAs ezimpande) ezikhipha izitifiketi zesikhashana ezisuselwe kumakheli e-imeyili agunyazwe nge-OpenID Connect. Isitifiketi sinesikhathi sempilo semizuzu engama-20, lapho unjiniyela kufanele enze isiginesha yedijithali (uma isitifiketi siwela ezandleni zomhlaseli, sizophelelwa yisikhathi). Le phrojekthi futhi ithuthukisa ikhithi yamathuluzi ye-Cosign (Containing Signing), eyenzelwe ukukhiqiza amasiginesha esiqukathi, ukuqinisekisa amasiginesha, kanye nokubeka iziqukathi ezisayiniwe kumakhosombe athobela i-OCI (Open Container Initiative).
Ukuqaliswa kwe-Sigstore kuthuthukisa ukuvikeleka kweziteshi zokusabalalisa isofthiwe futhi kuvikela ekuhlaselweni okuhloswe ukufaka esikhundleni semitapo yolwazi kanye nokuncika (uchungechunge lokuhlinzeka). Enye yezinselelo ezibalulekile zokuphepha kusofthiwe yomthombo ovulekile ubunzima bokuqinisekisa umthombo wohlelo nokuqinisekisa inqubo yokwakha. Isibonelo, amaphrojekthi amaningi asebenzisa ama-hashes ukuze aqinisekise ubuqotho bokukhishwa, kodwa ulwazi oludingekayo ukuze kugunyazwe luvamise ukugcinwa kumasistimu angavikelekile kanye namakhodi okwabelwana ngawo. Ngokufaka engozini lokhu, abahlaseli bangashintsha amafayela adingekayo ukuze kuqinisekiswe futhi bathule izinguquko ezinonya ngaphandle kokuvusa izinsolo.
Ukusetshenziswa kwamasiginesha edijithali ukuze kuqinisekiswe ukukhishwa akukafinyeleli ekutholweni okusabalele ngenxa yenkimbinkimbi yokuphatha okubalulekile, ukusatshalaliswa kokhiye basesidlangalaleni, nokuhoxiswa kokhiye ababekekele. Ukuze ukuqinisekiswa kube nenjongo, inqubo ethembekile nevikelekile yokusabalalisa okhiye basesidlangalaleni namasheke nayo iyadingeka. Ngisho nesiginesha yedijithali, abasebenzisi abaningi baziba ukuqinisekiswa ngoba kudinga isikhathi ukuze baqonde inqubo yokuqinisekisa futhi banqume ukuthi yibaphi okhiye abanokwethenjelwa. Iphrojekthi ye-Sigstore ihlose ukwenza lula nokwenza lezi zinqubo ngokuzenzakalelayo ngokunikeza isisombululo esenziwe ngomumo, esifakazelwe.
Source: opennet.ru
