github I put up for discussion proposal to introduce the Sigstore service for the verification of digital signatures and maintaining public logs for Confirmation of authenticity in the spread of releases. The use of SigStore will make it possible to implement an additional level of attacks against attacks aimed at changing software components and dependencies. For example, the implemented change will protect the initial texts of the projects in the case of compromising the account of the developer of one of the dependencies in NPM and the attacker forming a package with malicious code.
Thanks to the new level of protection, developers will be able to tie the formed package to the used source code and assembly environment, giving the user the opportunity to make sure that the contents of the package corresponds to the contents of the source texts of the project mainly. The use of Sigstore greatly simplifies the key management process and allows you to get rid of the difficulties associated with registration, review and management of cryptographic keys. SigStore is presented as an analogue of Let’s Encrypt for code, providing certificates to certify code with digital signatures and tools for automation of the check.
Instead of regular keys in Sigstore, short -lived ephemeral keys are used, which are generated on the basis of authority. The material used for the signature is reflected in the public log protected from making changes, which allows you to make sure that the author of the signature is exactly the one for whom he is issuing himself, and the signature was formed by the same participant that he was responsible for past releases. To ensure the integrity and protection against data distortion, the tree -like “Merkle Tree” tree (Merkle Tree) is used, in which each branch verifies all the underlying branches and nodes due to joint (tree -like) hashing. Having a final hash, the user can verify the correctness of the entire history of operations, as well as the correctness of past states of the database (the root verification hash of the new state of the base is calculated taking into account the past state).