I-Red Hat ne-Google, kanye neNyuvesi yasePurdue, basungula iphrojekthi ye-Sigstore, okuhloswe ngayo ukudala amathuluzi nezinsizakalo zokuqinisekisa isofthiwe kusetshenziswa amasignesha edijithali nokugcina ilogi yomphakathi ukuze kuqinisekiswe ubuqiniso (ilogi ebonisa izinto obala). Le phrojekthi izothuthukiswa ngaphansi kwenhlangano engenzi nzuzo i-Linux Foundation.
Iphrojekthi ehlongozwayo izothuthukisa ukuphepha kwamashaneli okusabalalisa ama-software futhi ivikele ekuhlaselweni okuhloswe ukufaka esikhundleni sezingxenye zesofthiwe nezinto ezincikile (uchungechunge lokunikezela). Enye yezinkinga eziyinhloko zokuphepha kusofthiwe yomthombo ovulekile ubunzima bokuqinisekisa umthombo wohlelo nokuqinisekisa inqubo yokwakha. Isibonelo, amaphrojekthi amaningi asebenzisa ama-hashes ukuze aqinisekise ubuqotho bokukhishwa, kodwa ngokuvamile ulwazi oludingekayo ukuze kuqinisekiswe ukuqinisekiswa lugcinwa ezinhlelweni ezingavikelekile nasezinqolobaneni zamakhodi okwabelwana ngazo, ngenxa yalokho abahlaseli bangakwazi ukufaka engozini amafayela adingekayo ukuze kuqinisekiswe futhi bangenise izinguquko ezinonya. ngaphandle kokuphakamisa izinsolo.
Ingxenye encane kuphela yamaphrojekthi asebenzisa amasiginesha edijithali lapho isabalalisa ukukhishwa ngenxa yobunzima bokuphatha okhiye, ukusabalalisa okhiye basesidlangalaleni, kanye nokuhoxisa okhiye ababekekile. Ukuze ukuqinisekiswa kube nengqondo, kuyadingeka futhi ukuhlela inqubo ethembekile nevikelekile yokusabalalisa okhiye basesidlangalaleni namasheke. Ngisho nesiginesha yedijithali, abasebenzisi abaningi baziba ukuqinisekiswa ngoba badinga ukuchitha isikhathi befunda inqubo yokuqinisekisa nokuqonda ukuthi yimuphi ukhiye othembekile.
I-Sigstore ibizwa ngokuthi ilingana nethi Asibethele ukuze uthole ikhodi, ihlinzeka ngezitifiketi zekhodi yokusayina ngekholi kanye namathuluzi okuqinisekisa okuzenzakalelayo. Nge-Sigstore, onjiniyela bangasayina ngedijithali ama-artifact ahlobene nohlelo lokusebenza njengamafayela okukhipha, izithombe zesiqukathi, ama-manifest, kanye nokusebenzisekayo. Isici esikhethekile se-Sigstore ukuthi okokusebenza okusetshenziselwa ukusayinda kubonakala kulogi yomphakathi engaphazanyiswa engasetshenziselwa ukuqinisekiswa nokuhlolwa.
Esikhundleni sokhiye baphakade, i-Sigstore isebenzisa okhiye besikhashana besikhathi esifushane, abakhiqizwa ngokusekelwe emininingwaneni eqinisekiswe abahlinzeki be-OpenID Connect (ngesikhathi sokukhiqiza okhiye besiginesha yedijithali, unjiniyela uziveza ngomhlinzeki we-OpenID oxhunywe ku-imeyili). Ubuqiniso bokhiye buqinisekiswa kusetshenziswa ilogi ephakathi komphakathi, okwenza kube nokwenzeka ukuqinisekisa ukuthi umbhali wesiginesha uyilowo azishoyo ukuthi ungubani futhi isiginesha yakhiwe ngumhlanganyeli ofanayo owayenomthwalo wemfanelo wokukhishwa kwangaphambilini.
I-Sigstore inikeza kokubili insiza eseyenziwe ngomumo osuvele uyisebenzise, ββkanye nesethi yamathuluzi akuvumela ukuthi usebenzise izinsiza ezifanayo kumishini yakho. Le sevisi imahhala kubo bonke abathuthukisi nabahlinzeki besofthiwe, futhi isetshenziswa endaweni engathathi hlangothi - i-Linux Foundation. Zonke izingxenye zesevisi ziwumthombo ovulekile, obhalwe ku-Go futhi usatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0.
Phakathi kwezingxenye ezithuthukisiwe singaphawula:
- I-Rekor iwukuqaliswa kwelogi yokugcina imethadatha esayiniwe ngedijithali ebonisa ulwazi olumayelana namaphrojekthi. Ukuqinisekisa ubuqotho nokuvikela ekukhohlakaleni kwedatha ngemuva kweqiniso, kusetshenziswe isakhiwo esifana nesihlahla esithi "Merkle Tree", lapho igatsha ngalinye liqinisekisa wonke amagatsha namanodi angaphansi, ngenxa ye-hashing ehlangene (efana nesihlahla). Ukuba ne-hashi yokugcina, umsebenzisi angaqinisekisa ukunemba kwawo wonke umlando wokusebenza, kanye nokunemba kwezimo ezidlule ze-database (i-hashi yokuqinisekisa impande yesimo esisha se-database ibalwa ngokucabangela isimo esidlule. ). Ukuze uqinisekise futhi wengeze amarekhodi amasha, kunikezwa i-Restful API, kanye ne-cli interface.
- I-Fulcio (SigStore WebPKI) iwuhlelo lokudala iziphathimandla zokunikeza izitifiketi (Root-CAs) ezikhipha izitifiketi zesikhashana ezisuselwe ku-imeyili egunyazwe nge-OpenID Connect. Ukuphila kwesitifiketi imizuzu engu-20, lapho unjiniyela kufanele abe nesikhathi sokwenza isiginesha yedijithali (uma isitifiketi kamuva siwela ezandleni zomhlaseli, sizobe sesiphelelwe yisikhathi).
- I-Π‘osign (Ukusayinwa Kwesitsha) iyikhithi yamathuluzi okukhiqiza amasiginesha eziqukathi, ukuqinisekisa amasiginesha kanye nokubeka iziqukathi ezisayiniwe kumakhosombe ahambisana ne-OCI (Open Container Initiative).
Source: opennet.ru