Zero-trust security starts with trusting actual entities based on strong identity, not whoever happens to control a secret, or whoever gets behind a firewall. No secrets sounds great in theory! It even sounds a bit magical. How can we authenticate without any secrets? In reality you can’t but you move the secrets around a bit and change how they work to get a similar effect.
One common technique here is called
Workload Identity, which leverages
ambient credentials rather than explicit, fixed secrets. We’re excited to announce that
Workload Identity is now fully supported in Project Sigstore! …
Before you get upset, I’m not talking about the coagulated soy-bean excretion often served fried, I’m talking about the Trust-On-First-Use authentication scheme. Just like the food, there are times to reach for TOFU, but too much of it might not be the best for your health. This post dives into when TOFU works, when it doesn’t and some mitigations that make use of transparency logs.
TOFU is an authentication system used to bootstrap trust between two entities on an untrusted network. Pretend you’re at a crowded train station looking for someone you’re supposed to meet named Alice to exchange a…
There are a bunch of confusing formats and specifications that describe how to, well, format signatures and related information. This topic is confusing because terminology is hard and each specification tackles things at slightly different levels of abstraction, from slightly different angles. This blog post tries to explain them all, with a few recommendations for specific use cases.
This is mostly focused on the use of signatures in the context of supply chain security. This means signing artifacts, metadata, and code. Some information might be useful here in other contexts, but I make no promises.
We use TUF in the Sigstore project to protect our own keys and infrastructure, but we’re also hoping to make it possible for end users to use TUF on their own, using the Sigstore tools. I call this the TUF sandwich!
Open Source package managers are one of the most maligned pieces of software in common use today. I’m here to correct that criticism and tell developers that it’s not the package managers you hate — it’s what they’ve made you become. This contains a bit of a history lesson to explain how we got here today, as well as what I think the package management world will look like in the future.
A package manager is anything developers run to install packages! This category includes language-level package managers like
wapm, etc. This category…
The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. The community support has been incredible! We’ve added 7 maintainers from 5 organizations, and have merged 394 commits from 32 contributors across 10 organizations. Cosign has been tested on 13 OCI registries and is now packaged in five different package managers. We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.0, which is ready for production use!
This blog post covers some best practices to keep in mind when generating metadata for supply chain security and policy systems. The advice here is generic, but will use vulnerability scans as an example to explain some of the concepts. This post will cover:
Policy engines like OPA/Gatekeeper, Kyverno, and Kubewarden play a critical role in software supply chain security by giving teams control over what can run in a production environment. They can be used to restrict user…
Note: This is current as of July 16th 2021
Let’s say you build and push a container image to a registry, and then you generate an SBOM, a signature, or anything else relevant to that image. You can easily store those other objects in a registry as well, but there’s no good way to indicate that those objects “refer” to the original image. If you have the image URL, you can’t automatically retrieve or lookup all the things that “refer” to it.
Maybe, but probably for a different reason than you think
TLDR; If you’re using GitHub, signing your commits is slightly better than not signing them. But probably not for the reason you think. The answer might shock you!
Let’s start with what most people thinking signing your commits does:
Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry.
This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions. We want to thank them all for their help! In particular, the TektonCD, In-Toto, TUF, SPIFFE/SPIRE and CNCF TAG Security groups have been immensely helpful…