|Protect The Software Supply Chain With Gitsign|
|Written by Nikos Vaggalis|
|Monday, 18 July 2022|
Sigstore and the Linux Foundation have taken another step toward securing the software supply chain, this time focusing on the initial stage of the chain. That is, the signing of Git commits.
Supply chain security is all the rage right now and the Linux Foundation's answer to it came through Sigstore:
Understanding and confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks.
Users generate ephemeral short-lived cryptography keys with the sigstore client tooling and use the keys to sign software.A sigstore PKI service will provide an X.509 signing certificate generated upon a successful OpenID connect grant. All certificates are then recorded into a certificate transparency log and software signing materials are sent to a signature transparency log.
Signing every component along the chain would prove its authenticity. That's what Sigstore does by empowering software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.
Since everybody is on Git, what better way of starting with signing the initial artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries,there was nothing for signing git commits.This is about to change with Gitsign, which allows you to sign your commits in a keyless fashion by using your GitHub / OIDC identity. Not only does this relieve you of the burden of managing the keys yourself, it also deal with the issue of those keys many times ending up being written inside the source of the repo itself, in effect canceling out the signing process.
So now when signing commits as usual with git commit -S your browser will now redirect through the Sigstore's Keyless flow to authenticate and sign the commit. I say as 'usual' since GitHub was already offering signing commits with SSH keys and x509 certificates bearing the cost of the keys' management. Gitsign now removes this need.
To install it, we can use 'go' which makes the process as is easy as:
After that we have to configure the tool per repository with:
Then when about to sign a commit, just fire:
The commits can then be verified using git verify-commit since they've been added to the Rekor transparency log (a transparency log for recording supply chain metadata) which ensures that signatures can be verified even after the certificate has expired.
In essence tagging, tracking history and preventing tampering is a spot on case for utilizing the blockchain. But this idea was rejected for the transparency log on the grounds that:
Further instructions and configuration options, such as the environmental variables supported, can be found on its official repo.
At about the same time of Gitsign's release, a handy python based utility with similar notion emerged.This is sigstore-python which is a tool for signing and verifying Python package distributions. Its usable but still in the early stages considering the warning in big letters on the repo's front page:
This project is not ready for general-purpose use!
That is not the case for GitSign though. You can use it as of right now!
or email your comment to: email@example.com
|Last Updated ( Monday, 18 July 2022 )|