|Sigstore Java - Sign And Verify Your Java Builds|
|Written by Nikos Vaggalis|
|Thursday, 23 March 2023|
sigstore-java, currently under development but not yet ready for general-purpose use, is a tool for signing and verifying Java package distributions with Sigstore's keyless signing. This is one more step being taken Sigstore towards securing the software supply chain.
Sigstore signing empowers software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.
As a refresher, the Sigstore ecosystem consists of:
The sigstore-java client library under development, will provide a native Java implementation for the signing and verification services.
Like other registries, the value of these signatures is not truly realized due to shortcomings in public key infrastructure, developer tooling, and no extant chain of trust for developers.
Sigstore is designed to solve these problems with elegance and runtime properties that are especially appealing in common Java development and CI environments.
The migration process from PGP to Sigstore has been broken down into distinct steps :
To make it easier to sign and publish to Maven central, the signing activity is going to be incorporated into Java's build tools
As for Maven there's already the Maven Sigstore plugin that supports generating and publishing Sigstore signatures to Central. The work done on its repository will eventually collapse into the Sigstore Java project.
Of course, we are talking about signing the end result, the build. But what about starting from the bottom all the chain up to the build? Sigstore has an answer to that too with GitSign. As examined in "Protect The Software Supply Chain With Gitsign":
Since everybody is on Git, what better way of starting with signing the initial artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries, there was nothing for signing git commits. This is about to change with Gitsign, which allows you to sign your commits in a keyless fashion by using your GitHub / OIDC identity.
Not only does this relieve you of the burden of managing the keys yourself, it also deal with the issue of those keys many times ending up being written inside the source of the repo itself, in effect canceling out the signing process.
So now when signing commits as usual with git commit -S your browser will now redirect through the Sigstore's Keyless flow to authenticate and sign the commit. I say as 'usual' since GitHub was already offering signing commits with SSH keys and x509 certificates bearing the cost of the keys' management. Gitsign now removes this need.
Of course there's much more to be done in securing the supply chain and the latest ChainGuard "SLSA++ A Survey of Software Supply Chain Security" takes an in-depth look at how the industry is adopting the best practices. For extended commentary make sure to check "Surveying Software Supply Chain Security".
|Last Updated ( Friday, 24 March 2023 )|