Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Securi-Taco Tuesdays is a new livestream series from Stacklok, where we talk to the people who are working behind the scenes to make the software supply chain more secure…over tacos! Last month was our inaugural episode where our CTO, Luke Hinds, gave us a 101-level overview of software supply chain security. You can catch the blog recap here, or watch the replay here.
This month we were thrilled to have Bob Callaway & Hayden Blauzvern from Google’s Open Source Security Team (GOSST) join Adolfo García Veytia to chat about code signing and Sigstore. Unfortunately, I couldn’t make it as I got taken out by Covid, but I’m here to recap it for you and give you the highlights!
Hayden kicked off the discussion by shedding light on digital signatures, emphasizing their crucial properties of integrity, authenticity, and non-repudiation, and diving into how code signing works.
Code signing involves using digital signatures to verify the authenticity and integrity of software artifacts. It allows developers to cryptographically sign their code, ensuring that it has not been tampered with or modified since it was signed. This process provides several crucial benefits:
Integrity Verification: Code signing guarantees that the code has not been altered or manipulated in any way after it was signed. Any unauthorized changes to the code will invalidate the signature, alerting users to potential tampering.
Authenticity Assurance: By verifying the signature, users can confirm that the code they are about to execute originates from the intended author or publisher. This helps prevent malicious actors from impersonating legitimate entities and distributing counterfeit software.
Non-Repudiation: Code signing establishes a level of accountability, ensuring that the signer cannot deny having signed the code. This non-repudiation feature is crucial for maintaining trust and preventing disputes.
Code signing involves two cryptographic keys: a private key and a public key. The private key is kept secret by the signer, while the public key is made publicly available. When a piece of code is signed, the private key is used to generate a digital signature. This signature is then attached to the code artifact. When a user wants to verify the authenticity of the code, they use the public key to validate the signature. If the signature is valid, it confirms that the code has not been tampered with and can be trusted.
While code signing offers significant security advantages, it also presents several challenges:
Key Management: Managing cryptographic keys securely is crucial to the effectiveness of code signing. Losing or compromising a private key can have severe consequences.
Key Distribution: Distributing public keys in a secure and reliable manner is another challenge. Users need to be able to obtain the correct public key associated with the signed code to verify its authenticity.
Identity Verification: Establishing the identity of the signer and associating it with the public key is vital for trust and accountability in code signing.
Bob Callaway elaborated on Sigstore, explaining that it is a graduated open source project hosted by the Open Source Security Foundation (OpenSSF) with the goal of simplifying code signing for developers and enhancing the verification process for users.
Key Management: Sigstore introduces the concept of "Revocation Transparency," which allows signers to securely revoke compromised private keys. This revocation information is stored in a transparent and auditable manner, ensuring that users can trust that revoked keys are no longer valid.
Key Distribution: Sigstore leverages decentralized public key infrastructure (PKI) to distribute public keys securely. This PKI is built on a network of trusted entities called "Revocation Transparency Logs" (RTLs), ensuring that public keys are accessible and verifiable.
Identity Verification: Sigstore incorporates a decentralized identity framework that allows signers to prove their identity without relying on a single centralized authority. This framework supports various identity providers, enabling signers to use their preferred method of authentication.
As the conversation progressed, Adolfo, Bob, and Hayden explored Sigstore's technical aspects, including its architecture, various components, and seamless integration with other tools and platforms. They shared real-world examples of organizations successfully leveraging Sigstore to enhance their software supply chain security posture.
Sigstore’s high-level architecture
Sigstore is a combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale:
Cosign: For signing and verification of artifacts and containers, with storage in an Open Container Initiative (OCI) registry, making signatures and in-toto/SLSA attestations invisible infrastructure.
Rekor: Append-only, auditable transparency log service, Rekor records signed metadata to a ledger that can be queried, but can’t be tampered with.
Policy Controller: Policy Controller is used to enforce policy on a cluster on verifiable supply-chain metadata from Cosign.
OpenID Connect: An identity layer that checks if you're who you say you are. It lets clients request and receive information about authenticated sessions and users.
Fulcio: Code-signing certificate authority, issuing short-lived certificates to an authenticated identity and publishing them to a certificate transparency log.
Trust root: The foundation for trust underpinning Sigstore utilizes TUF. This repository describes this process, our keyholders, and how the root keys are protected.
The livestream offered valuable insights into the current landscape of code signing and highlighted Sigstore's potential to revolutionize software supply chain security. By leveraging Sigstore, developers and organizations can significantly enhance the security of their software supply chains, instill trust among users, and mitigate the risks associated with compromised code. As the adoption of Sigstore continues to grow, the hope is of a future where secure code signing becomes a standard practice, leading to a more resilient and trustworthy software ecosystem.
Watch the entire conversation here:
Join us for our next Securi-Taco Tuesday episode: Understanding Software Trust: Let’s explore Secure Attestations & the in-toto framework on September 17, 2024 at 12pm CMST (11am PT | 12pm CT | 2pm ET | 7pm BST) with guest speaker Santiago Torres-Arias.
To stay up to date with this series:
And don’t forget to check out Minder to help keep your software secure. Minder makes it easier to apply and automate the enforcement of security checks and policies across your organization’s GitHub repositories. It’s built on open source and free forever for public repos.