Connecting with sigstore

11 marzo 2021Alex Handy1 minuti (tempo di lettura)

Screenshot at 2021-03-11 12-31-02

Have you ever heard of sigstore? If not, you should learn all about it, as it's an important project from the Linux Foundation. From their About page;

sigstore will be a free to use non-profit software signing service that harnesses existing technologies of x509 PKI and transparency logs.

Users generate ephemeral short-lived key pairs using the sigstore client tooling. The sigstore PKI service will then provide a signing certificate generated upon a successful OpenID connect grant. All certificates are recorded into a certificate transparency log and software signing materials are sent to a signature transparency log. The use of transparency logs introduces a trust root to the users OpenID account. We can then have guarantees that the claimed user was in control of an identity service providers account at the time of signing. Once the signing operation is complete, the keys can be discarded, removing any need for further key management or need to revoke or rotate.

Using OpenID connect identities allows users to take advantage of existing security controls such as 2FA, OTP and hardware token generators.

sigstore’s transparency logs can act as a source of provenance, integrity, and discoverability. Being public and open anyone can monitor sigstore’s transparency logs for occurrences of their software namespace being used, perform queries using an artifact’s digest, return entries signed by a specific email address, public key, etc. Further to this, security researchers can monitor the log to seek out possible nefarious patterns or questionable behavior.

If that sounds like something that would help you to rest easier at night, perhaps you'd like to hear more about sigstore from the Red Hat Office of the CTO. Check out this video featuring Luke Hinds and Bob Callaway from the Red Hat Office of the CTO's Emerging Technologies team as they provide an overview of the project and discuss its future plans.

Sull'autore

Alex Handy

Principal Product Marketing Manager

Red Hatter since 2018, technology historian and founder of The Museum of Art and Digital Entertainment. Two decades of journalism mixed with technology expertise, storytelling and oodles of computing experience from inception to ewaste recycling. I have taught or had my work used in classes at USF, SFSU, AAU, UC Law Hastings and Harvard Law.

I have worked with the EFF, Stanford, MIT, and Archive.org to brief the US Copyright Office and change US copyright law. We won multiple exemptions to the DMCA, accepted and implemented by the Librarian of Congress. My writings have appeared in Wired, Bloomberg, Make Magazine, SD Times, The Austin American Statesman, The Atlanta Journal Constitution and many other outlets.

I have been written about by the Wall Street Journal, The Washington Post, Wired and The Atlantic. I have been called "The Gertrude Stein of Video Games," an honor I accept, as I live less than a mile from her childhood home in Oakland, CA. I was project lead on the first successful institutional preservation and rebooting of the first massively multiplayer game, Habitat, for the C64, from 1986: https://neohabitat.org . I've consulted and collaborated with the NY MOMA, the Oakland Museum of California, Cisco, Semtech, Twilio, Game Developers Conference, NGNX, the Anti-Defamation League, the Library of Congress and the Oakland Public Library System on projects, contracts, and exhibitions.