Sigstore

Sigstore Overview¶

Component	Description
Cosign	Creates a key pair and then uses the private key to create a digital signature of software artifacts The software developer must attach a signature to the created artifact Cosign (in combination with Fulcio) reduces the burden on software developers by allowing them to use their identity associated with popular internet platforms (like GitHub) and therefore avoid storing private keys
Fulcio	A certificate authority that binds public keys to email addresses (such as a Google account) using OpenID Connect Fulcio serves as a trusted third party, helping parties that need to attest and verify identities
Rekor	Stores records of artifact metadata, providing transparency for signatures and therefore helping the open source software community monitor and detect any tampering of the software supply chain It is an append-only data log that stores signed metadata about a software artifact

#	Use Case	Description	Tool
1	Sign code	Easy authentication and smart cryptography work in the background. Just push your code	Cosign
2	Verify signatures	Rekor transparency logs store unique identification like who created it and where it was built, so you know it hasn't been changed	Rekor
3	Monitor activity	Logged data is readily auditable, for future monitors and integrations to build into your security workflow

Tell sigstore to do the signing:
- Fulcio requests a certificate from sigstore's root Certificate Authority (CA)
- This checks you are who you say you are using OpenID Connect, which looks at your email address to prove you're the author
- Fulcio grants a time-stamped certificate, a way to say you're signed in and that it's you.
Forget keys:
- You don't have to do anything with keys yourself, and sigstore never obtains your private key
- The public key that Cosign creates gets bound to your certificate, and the signing details get stored in sigstore's trust root
Obtain a signature:
- Your certificate then comes back to sigstore, where sigstore exchanges keys, asserts your identity and signs everything off
- The signature contains the hash itself, public key, signature content and the time stamp
- This all gets uploaded to a Rekor transparency log, so anyone can check that what you've put out there went through all the checks needed to be authentic

Tool	Description
gitsign	Keyless Git signing with Sigstore
docker-publish.yml	GitHub has integrated sigstore support for container image signing into the GitHub Actions starter workflow
Marco Lancini Build, sign, and compute the SBOM of a container image	A reusable Github Action workflow that: Builds a container image Scans it with `Trivy` Pushes it to ECR Signs it with `cosign` Computes its SBOM with `Syft` Attaches the SBOM to it via `cosign`

Link	Notes
How sigstore works	A new standard for signing, verifying and protecting software
Get Started with Sigstore (free course)	Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source
Where Do I Sign? Step-by-step Sigstore Adoption	Using Sigstore, we can iteratively improve our supply chain security, starting with signed attestations and moving toward signed provenance to protect the build
Safeguard your containers with new container signing capability in GitHub Actions	GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow
Zero-friction “keyless signing” with Github Actions	How to use cosign to sign container images built in Github
Secure your software supply chain using Sigstore and GitHub actions	How to secure your software supply chain by applying some SLSA requirements in your GitHub actions workflow
A Guide to Running Sigstore Locally	How to stand up a Sigstore deployment on your own infrastructure on Kubernetes so that you will be able to take advantage of the benefits and the assurance of not exposing sensitive resources