Readiness of cryptographic verification of Sigstore code is announced

Google reported about the formation of the formation of the formation The first stable issues of the components forming the project sigstore , which is declared suitable for creating working implementations. SigStore develops tools and services for verification of software using digital signatures and conducting public logs confirming the authenticity of changes. The project is developing under the auspices of the non -profit organization Linux Foundation by Google, Red Hat, Cisco, VMware, Github and HP Enterprise with the participation of OpenSSF (Open Source Security Foundation) and the University of Perdi.

SigStore can be considered as an analogue of Let’s Encrypt for code, which provides certificates for certification of code with digital signatures and tools for automation of the check. Using SigStore, developers will be able to form digital signatures for artifacts related to the application, such as releases, images of containers, manifestos and executable files. The material used for the signature is reflected in a public log protected from amendments, which can be used to verify and audit.

Instead of regular keys in Sigstore, short -lived ephemeral keys are used, which are generated on the basis of powers confirmed by Openid Connect providers (at the time of generating the keys necessary to create a digital signature, the developer identifies himself through Openid provider with an email binding). The authenticity of the keys is checked by a public centralized log, which allows you to make sure that the author of the signature is the one for whom he issues himself, and the signature was formed by the same participant that he was responsible for past releases.

Sigstore readiness for implementation is due to the formation of releases of two key components – rekor 1.0 and fulcio 1.0 , the software interfaces of which are declared stable and continue to retain reverse compatibility. The components of the service are written in GO and are distributed under the license Apache 2.0.

Component rekor contains the implementation of logs to store the metadata digital signatures that reflect information about projects. To ensure the integrity and protection against data distortion, the tree structure “ tree is measured ” (Merkle Tree) is used, in which each branch is in which each branch Verifies all the underlying branches and nodes thanks to joint (tree) hash. Having a final hash, the user can verify the correctness of the entire history of operations, as well as the correctness of past states of the database (the root verification hash of the new state of the base is calculated taking into account the past state). Restful API, as well as the command line interface, is provided for verification and adding new records.

/Media reports.