You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: cosign/README.md
+27-30Lines changed: 27 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ The third operation is performed by a system called Rekor, a transparency log fo
13
13
And cosign is the reference Sigstore client implementation to sign arbitrary artifacts. With these components, Sigstore completed trust setup, signing and verification[2].
To verify an artifact, a verifier ensures that the trusted keys are fresh by performing a key update. With an updated root-of-trust, the first check ensures that the identity claimed was correctly verified by the identity log, and that the signature provided matches the content of the signed artifact. A final check verifies that the signature was created during the time window in which the certificate was valid.
53
+
52
54
The Sigstore team plans to refactor parts of cosign into a new, minimal, and user-friendly API named `sigstore-go`. Currently in beta, `sigstore-go` has passed the `sigstore-conformance` signing and verification test suite.
53
55
`sigstore-go` is built as a modular Go codebase including cryptographic signature creation and validation, integration with external services (Fulcio for certificates and Rekor for record-keeping) and API layers.
54
56
The `ratify-verifier-go` implementation shares the same underlying library, `sigstore-go`, as the cosign verifier.
55
57
56
58
## Concepts
57
59
58
-
**Artifact signing**: To sign an artifact, a signer generates a private/public key pair and uses the secret key to sign an arbitrary piece of data.
59
-
60
-
**OpenID Connect (OIDC)**: A widely-supported protocol allowing relying parties (applications) to verify the identity of resource owners (end users) as confirmed by identity providers.
61
-
62
-
**OIDC Provider**: Mechanism vouching that an entity (individual) controls an identity (e.g., email account)
63
-
64
-
**Signers**: Individuals vouching for the authenticity of content.
65
-
66
-
**Verifiers**: Individuals checking that content is authentic.
67
-
68
-
**Artifact Log**: Record of artifact metadata created by signers.
69
-
70
-
**Identity Log**: Record of mappings from identities to signing keys.
60
+
1. Digital Artifact Signing Fundamentals
61
+
- Artifact Signing: The process by which a signer uses a private key (paired with a public key) to produce a digital signature on an artifact (a piece of data, file, or software).
62
+
- Digital Signature: A cryptographic value computed from artifact data and a secret key. It serves as evidence that the signer endorsed the artifact and that the artifact has not been tampered with.
71
63
72
-
**Certificate Authority(CA)**: Entity verifying identity and issues cryptographic certificates to signers.
64
+
2. Identity, Authorization, and Trust Establishment
65
+
- OpenID Connect (OIDC): A widely supported protocol that allows relying parties (applications) to authenticate resource owners (end users) based on assertions made by identity providers.
66
+
- OIDC Provider: An entity or mechanism that vouches for an individual’s identity (for example, confirming control of an email account) in accordance with OIDC protocols.
67
+
- Signers: Individuals or entities that use their private keys to digitally sign artifacts, thereby vouching for the authenticity and integrity of content.
68
+
- Verifiers: Individuals or systems responsible for checking that the digital signature attached to an artifact is valid and that the artifact remains unaltered.
73
69
74
-
**Public-key Infrastructure (PKI)**: A set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
70
+
3. Trust Infrastructure and Public-Key Management
71
+
- Certificate Authority (CA): An entity within a Public-key Infrastructure (PKI) that is responsible for verifying identities and issuing digital certificates which associate a public key with the verified identity of a signer.
72
+
- Public Key Certificate: An electronic document issued by a CA that binds a public key with an individual’s identity, thus providing proof of the public key’s legitimacy.
73
+
- Public-key Infrastructure (PKI): A comprehensive framework that includes roles, policies, hardware, software, and procedures for creating, managing, distributing, using, storing, and revoking digital certificates as well as managing public-key encryption.
75
74
76
-
**Public Key Certificate**: In cryptography, a public key certificate, is an electronic document used to prove the validity of a public key.
75
+
4. Transparency and Auditability
76
+
- Identity Log: An online provided record, that maps verified identities to their associated signing keys. Such logs help establish trust by providing a history of key associations.
77
+
- Artifact Log: An online/offline provided record that contains metadata about artifacts, such as when and by whom they were signed. This ledger aids in auditing and tracing the provenance of digital artifacts.
77
78
78
79
## Scenarios
79
80
80
81
`ratify-verifier-go` supports multiple verification scenarios based on different signing methods, artifact types, and trust sources[3]. These scenarios can be categorized into the following main types.
|**Keyless Verification**|Fulcio issues short-lived certificates binding an ephemeral key to an OpenID Connect identity. Signing events are logged in Rekor, a signature transparency log. | CI/CD pipelines or automated workflows where no private key management is needed. |
85
+
|**Keyless Verification**|Verifyies signatures from Rekor, trust material (signed certificate timestamp) from the CT log, and certificates that chain up to Fulcio. | CI/CD pipelines or automated workflows where no private key management is needed. |
85
86
|**Key-Based Verification**| Verifies signature using a known **public key**. | Environments where signatures are verified with a known public key. |
86
87
|**Timestamp Verification**| Verifies the **timestamp** of the signature to prevent time-based attacks. Not standalone verification. | Long-term signature validity checks, ensuring signatures are valid at a specific point in time. |
87
88
|**Rekor Transparency Log (TLog)**| Verifies inclusion of the signature in the **Rekor Transparency Log** for audibility. Not standalone verification. | Auditing and compliance to ensure signatures are publicly recorded in an immutable log. |
@@ -93,36 +94,32 @@ The `ratify-verifier-go` implementation shares the same underlying library, `sig
93
94
94
95
2. Verification Materials
95
96
- The signature(s) of the artifact[4]: The cryptographic signature(s) created when the artifact was signed.
96
-
- Verification options: i.e. whether to expect SCTs (a service compliant with [RFC 6962](https://datatracker.ietf.org/doc/html/rfc6962)), TLog entries, or signed timestamps and expected identity and digest to verify.
97
+
- Verification options: i.e. whether to expect signed certificate timestamps (SCTs), TLog entries, or signed timestamps and expected identity and digest to verify.
97
98
98
99
3. Verification Key or Certificate
99
-
- Keyless Verification: Retrieves an x509 certificate on the signature and verify against Fulcio root trust.
100
+
- Keyless Verification: Retrieves an X.509[5] certificate on the signature and verify against Fulcio root trust.
100
101
- Key-Based Verification: User provides a public key, certificate or certificate chain.
101
102
102
103
### Cosign Verifier Output
103
104
104
105
The output format is defined by `ratify-go`, illustrates if the signature is valid and all criteria are met. It includes detailed information such as:
105
106
106
107
- verification_success: Indicates if the verification was successful.
107
-
108
108
- verifier reference: The verifier that generated the result.
109
-
110
109
- artifact_digest: The cryptographic hash of the artifact.
111
-
112
110
- signer_identity: The identity associated with the signing certificate (if keyless signing was used).
113
-
114
111
- signing_cert: Metadata about the Fulcio-issued certificate (if applicable).
115
-
116
112
- rekor_entry: Confirms whether the signature exists in the transparency log (for keyless verification).
117
-
118
113
- timestamp_verified: Ensures that the signature has a valid timestamp (if timestamping was used).
119
114
120
115
## References
121
116
122
-
[1][Zachary Newman, John Speed Meyers, and Santiago Torres-Arias, “Sigstore: Software Signing for Everybody” CCS ’22, Los Angeles, CA, USA 2353-2365 https://doi.org/10.1145/3548606.3560596](https://doi.org/10.1145/3548606.3560596)
117
+
[1][Zachary Newman, John Speed Meyers, and Santiago Torres-Arias. 2022. Sigstore: software signing for everybody. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2353–2367](https://doi.org/10.1145/3548606.3560596)
[5][M. Cooper, Y. Dzambasow, P. Hesse, S. Joseph, and R. Nicholas. 2005. Internet X.509 Public Key Infrastructure: Certification Path Building (RFC 5280). Technical Report. Internet Engineering Task Force. http://tools.ietf.org/html/rfc5280](http://tools.ietf.org/html/rfc5280)
0 commit comments