Sigstore
Sigstore Overview¶
Components¶
| Component | Description |
|---|---|
| Cosign |
|
| Fulcio |
|
| Rekor |
|
Use Cases¶
| # | Use Case | Description | Tool |
|---|---|---|---|
| 1 | Sign code | Easy authentication and smart cryptography work in the background. Just push your code | Cosign |
| 2 | Verify signatures | Rekor transparency logs store unique identification like who created it and where it was built, so you know it hasn't been changed | Rekor |
| 3 | Monitor activity | Logged data is readily auditable, for future monitors and integrations to build into your security workflow |
How sigstore works¶
- Tell sigstore to do the signing:
- Fulcio requests a certificate from sigstore's root Certificate Authority (CA)
- This checks you are who you say you are using OpenID Connect, which looks at your email address to prove you're the author
- Fulcio grants a time-stamped certificate, a way to say you're signed in and that it's you.
- Forget keys:
- You don't have to do anything with keys yourself, and sigstore never obtains your private key
- The public key that Cosign creates gets bound to your certificate, and the signing details get stored in sigstore's trust root
- Obtain a signature:
- Your certificate then comes back to sigstore, where sigstore exchanges keys, asserts your identity and signs everything off
- The signature contains the hash itself, public key, signature content and the time stamp
- This all gets uploaded to a
Rekortransparency log, so anyone can check that what you've put out there went through all the checks needed to be authentic
Implementation¶
GitHub¶
| Tool | Description |
|---|---|
| gitsign | Keyless Git signing with Sigstore |
| docker-publish.yml | GitHub has integrated sigstore support for container image signing into the GitHub Actions starter workflow |
| Marco Lancini Build, sign, and compute the SBOM of a container image | A reusable Github Action workflow that:
|
References¶
| Link | Notes |
|---|---|
| How sigstore works | A new standard for signing, verifying and protecting software |
| Get Started with Sigstore (free course) | Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source |
| Where Do I Sign? Step-by-step Sigstore Adoption | Using Sigstore, we can iteratively improve our supply chain security, starting with signed attestations and moving toward signed provenance to protect the build |
| Safeguard your containers with new container signing capability in GitHub Actions | GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow |
| Zero-friction “keyless signing” with Github Actions | How to use cosign to sign container images built in Github |
| Secure your software supply chain using Sigstore and GitHub actions | How to secure your software supply chain by applying some SLSA requirements in your GitHub actions workflow |
| A Guide to Running Sigstore Locally | How to stand up a Sigstore deployment on your own infrastructure on Kubernetes so that you will be able to take advantage of the benefits and the assurance of not exposing sensitive resources |