dsse
root-signing
dsse | root-signing | |
---|---|---|
3 | 1 | |
61 | 77 | |
- | - | |
0.0 | 9.5 | |
5 days ago | 3 days ago | |
Jupyter Notebook | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
dsse
- NPM Provenance Public Beta
- What do you think about DSSE: Dead Simple Signing Envelope format?
-
Ditching OpenPGP, a new approach to signing APT repositories
I took a look at the design and think there are a few issues with the format as proposed.
# The public key is stored with the signature.
This should be stored separately. A public key found here is too tempting to use, rendering the signature worthless. Authenticating it would be OK, but low value. This is unauthenticated. A "key ID" should be used instead if the intention is to support lookups among multiple keys.
# The algorithm is stored with the signature.
This is slightly less bad than above, but still bad. Attacker-controlled algorithms have been used repeatedly in "downgrade" attacks. Agility is bad, but if you must support multiple algorithms, store this with the public key (somewhere else). Some info here: https://github.com/secure-systems-lab/dsse/issues/35
I didn't look at the sub-key protocol in detail. The ephemeral key for every release is an interesting choice. The root key is "offline". But if it must be brought online to sign a new ephemeral key for every release anyway, you might as well just use it to sign the release itself.
Using minisign/signify like OpenBSD does and keeping things very simple makes sense to me. The complexity designed into this system (sub-keys, multiple algorithms and signatures) starts to stretch the bounds to where TUF (https://theupdateframework.io/) might make sense. TUF is very complex and not worth it for most projects, but Debian is exactly what TUF is designed for.
root-signing
-
NPM Provenance Public Beta
caveat, I am from the sigstore project.
GitLab are currently working with sigstore community to rig in their CI/CD as well and the root of CA of sigstore is community created and owned. This means any provider can trade an ODIC ID token for a sigstore certificate.
https://github.com/sigstore/root-signing
What are some alternatives?
fulcio - Sigstore OIDC PKI
attestation - in-toto Attestation Framework
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain