Announcing the Sigstore Root Key Ceremony

I’m thrilled to announce that the Sigstore community is holding our first Root Key ceremony on June 18th at 2pm Eastern, and I’m even more thrilled to announce that it will be hosted LIVE by the always incredible DanPOP on his CloudNative.tv show, Spotlight Live. This Trust Root will eventually be used to secure the keys used by the entire Sigstore project, but more importantly we’re planning to make our trust root available for any open source project that wants to use it!

This is a huge milestone for the Sigstore project, and we also hope that the trust root…


Or, OCI Registries for Binary Distribution

This post is about using container registries (Docker registries, OCI registries, whatever you want to call them) for the storage and distribution of generic, non-container-related binary artifacts.

I explain the reasoning below, but first: code and demos

Demos!

Here’s a quick walkthrough of a draft tool (still WIP!) to securely fetch published contents from an OCI registry, called sget. sgetis part of the sigstore project, and is a standalone client that allows you to retrieve scripts or binaries from any OCI registry.

The sget tool works with cosign, and is designed to make it easy to do the right thing, by


Binary Transparency for JARs!

Photo by Brett Jordan on Unsplash

Time flies in open source! This post provides a few updates on Sigstore since our last update in March. We’ve been lucky to continue welcoming new community members and contributors, with 39 contributors from over 15 companies and our Slack channel is rapidly approaching 300 members!


Project Update March 2021 — Building Trust!

Photo by Joshua Hoehne on Unsplash

If you’re new to the Sigstore project, we officially launched on March 9th 2021 with a mission of improving the open source supply chain by making it easy to sign and verify code. We’re planning to provide free tools, APIs, and services as a public-benefit/non-profit. This post is to give a quick recap of where we are today, where we’re headed and what we’re focusing on next. I’ll also outline some areas we need help, and how to get involved!

While the public announcement was only a few short weeks ago, the Sigstore community started coming together about 9 months…


Why does it need to be so TUF?

If you’re anything like me and spend time reading blog posts and GitHub discussions around how to securely package and release software, you’ve probably heard of The Update Framework. Unfortunately, if you’re actually anything like me it probably seemed overwhelming and confusing at first. This blog post explains the mental model I’ve built up for TUF, and some of the concepts that finally made it understandable and digest-able for me.

What is TUF?

Naming is hard, but TUF really isn’t a framework in the traditional sense. In my head, a framework is something like a…


A practical guide

I’ve heard a TON of questions about how to sign an open source software release lately. Once you get past the impossible tooling/crypto questions, you quickly realize you’ve barely scratched the surface in complexity. These problems aren’t all specific to OSS, but community-driven projects do face some unique challenges that stretch beyond technical and into the philosophical realm.

Photo by Austin Kehmeier on Unsplash

What does it mean to sign a release? Who should do it? Where should the keys live? How do users verify it? Why are we even doing this again? If you (understandably assumed) that this was a solved problem, you’re in good…


The protocol and format explained!

In my last post, I showed how cosign can be used to sign and verify container images today. In this post, I’ll explain how it works at each step of the way.

Life of a Cosign Signature

We’ll start with cosign generate-key-pair .

This command creates an ECDSA-P256 key pair (a private and a public key). The public key bytes are encoded in a PKIX formatted file. The public key looks like this:

— — -BEGIN PUBLIC KEY — — -
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEroVS8KdYXp5SSI5YDwwQymSByQAM
7MDgk9po3wpp/hHZAzCLsu+j3axrJJ5nMet9tqX1eH8yk21G626Z8lrkQA==
— — -END PUBLIC KEY — — -

The private key is marshaled into PKCS8 formatted bytes…


I’ve seen a lot of questions about signing container images in the last few months, and unfortunately there aren’t many great options or answers today. So I decided to write a simple tool called cosign. It can sign container images! Here’s what it looks like to use:

The future is now!

You can get it installed and start signing containers in minutes. There are almost no configuration options, by design. There is only one supported signature algorithm (ECDSA-P256) and one payload format (Red Hat Simple Signing).

Public keys are stored in plain old PKIX files. They look like:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEroVS8KdYXp5SSI5YDwwQymSByQAM
7MDgk9po3wpp/hHZAzCLsu+j3axrJJ5nMet9tqX1eH8yk21G626Z8lrkQA==
-----END PUBLIC KEY…

This took me awhile to figure out, so I thought I would write it down in the hopes it saves someone else time later.

I have a Golang app that runs on Kubernetes (in my case GKE) that I want to add some basic monitoring to. I was hoping for a solution that roughly meets these requirements:

  • No vendor-specific code in my application
  • Easy support for exposing custom metrics
  • Since I’m running on GKE, it would be nice for the metrics to show up in the StackDriver console

Searching and reading examples led me down a two routes: OpenTelemetry/OpenCensus and…


Making “many eyes” a reality with automation

Many advocates of open source software claim it is easier to make secure because it has “many eyes” looking at it. It is probably true that in the limit enough eyes can catch all bugs, but there’s no evidence we’ll ever hit that limit. Thankfully, we can help add more eyes to OSS with automation. This post explains how I built a platform to hunt for malicious behavior hiding in plain sight.

Photo by Victor Freitas on Unsplash

The specific type of malware I’m looking in this post embeds itself in open source packages, and exploits the fact that…

Dan Lorenc

Software Engineer at Google

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store