Sigstore
Sigstore Overview¶
Components¶
Component | Description |
---|---|
Cosign |
|
Fulcio |
|
Rekor |
|
Use Cases¶
# | Use Case | Description | Tool |
---|---|---|---|
1 | Sign code | Easy authentication and smart cryptography work in the background. Just push your code | Cosign |
2 | Verify signatures | Rekor transparency logs store unique identification like who created it and where it was built, so you know it hasn't been changed | Rekor |
3 | Monitor activity | Logged data is readily auditable, for future monitors and integrations to build into your security workflow |
How sigstore works¶
- Tell sigstore to do the signing:
- Fulcio requests a certificate from sigstore's root Certificate Authority (CA)
- This checks you are who you say you are using OpenID Connect, which looks at your email address to prove you're the author
- Fulcio grants a time-stamped certificate, a way to say you're signed in and that it's you.
- Forget keys:
- You don't have to do anything with keys yourself, and sigstore never obtains your private key
- The public key that Cosign creates gets bound to your certificate, and the signing details get stored in sigstore's trust root
- Obtain a signature:
- Your certificate then comes back to sigstore, where sigstore exchanges keys, asserts your identity and signs everything off
- The signature contains the hash itself, public key, signature content and the time stamp
- This all gets uploaded to a
Rekor
transparency log, so anyone can check that what you've put out there went through all the checks needed to be authentic
Implementation¶
GitHub¶
Tool | Description |
---|---|
gitsign | Keyless Git signing with Sigstore |
docker-publish.yml | GitHub has integrated sigstore support for container image signing into the GitHub Actions starter workflow |
Marco Lancini Build, sign, and compute the SBOM of a container image | A reusable Github Action workflow that:
|
References¶
Link | Notes |
---|---|
How sigstore works | A new standard for signing, verifying and protecting software |
Get Started with Sigstore (free course) | Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source |
Where Do I Sign? Step-by-step Sigstore Adoption | Using Sigstore, we can iteratively improve our supply chain security, starting with signed attestations and moving toward signed provenance to protect the build |
Safeguard your containers with new container signing capability in GitHub Actions | GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow |
Zero-friction “keyless signing” with Github Actions | How to use cosign to sign container images built in Github |
Secure your software supply chain using Sigstore and GitHub actions | How to secure your software supply chain by applying some SLSA requirements in your GitHub actions workflow |
A Guide to Running Sigstore Locally | How to stand up a Sigstore deployment on your own infrastructure on Kubernetes so that you will be able to take advantage of the benefits and the assurance of not exposing sensitive resources |