... | @@ -1203,23 +1203,43 @@ it's still nice to have options. |
... | @@ -1203,23 +1203,43 @@ it's still nice to have options. |
|
|
|
|
|
[Dan Lorenc][], an engineer at Google, designed a tool that allows
|
|
[Dan Lorenc][], an engineer at Google, designed a tool that allows
|
|
users to sign "artifacts". Typically, those are container images
|
|
users to sign "artifacts". Typically, those are container images
|
|
(e.g. [cosign](https://github.com/sigstore/cosign) is named so because it signs "containers"), but
|
|
(e.g. [cosign][] is named so because it signs "containers"), but
|
|
anything can be signed.
|
|
anything can be signed.
|
|
|
|
|
|
It also works with a transparency log server called [rekor](https://github.com/sigstore/rekor). They
|
|
[Dan Lorenc]: https://github.com/dlorenc
|
|
|
|
[cosign]: https://github.com/sigstore/cosign
|
|
|
|
|
|
|
|
It also works with a transparency log server called [rekor][]. They
|
|
run a public instance, but we could also run our own. It is currently
|
|
run a public instance, but we could also run our own. It is currently
|
|
unclear if we could have both, but it's apparently possible to run a
|
|
unclear if we could have both, but it's apparently possible to run a
|
|
"monitor" that would check the log for consistency.
|
|
"monitor" that would check the log for consistency.
|
|
|
|
|
|
There's also a system for [signing binaries with ephemeral keys](https://shibumi.dev/posts/first-look-into-cosign/)
|
|
[rekor]: https://github.com/sigstore/rekor
|
|
|
|
|
|
|
|
There's also a system for [signing binaries with ephemeral keys][]
|
|
which seems counter-intuitive but actually works nicely for CI jobs.
|
|
which seems counter-intuitive but actually works nicely for CI jobs.
|
|
|
|
|
|
|
|
[signing binaries with ephemeral keys]: https://shibumi.dev/posts/first-look-into-cosign/
|
|
|
|
|
|
Seems very promising, maintained by Google, RedHat, and supported by
|
|
Seems very promising, maintained by Google, RedHat, and supported by
|
|
the Linux foundation. Complementary to [in-toto][] and [TUF][].
|
|
the Linux foundation. Complementary to [in-toto][] and [TUF][]. TUF is
|
|
|
|
actually used to create the [root keys][] which are controlled, at
|
|
|
|
the time of writing, by:
|
|
|
|
|
|
[TUF]: https://theupdateframework.io/
|
|
|
|
[in-toto]: https://github.com/in-toto/in-toto
|
|
[in-toto]: https://github.com/in-toto/in-toto
|
|
[Dan Lorenc]: https://github.com/dlorenc
|
|
[TUF]: https://theupdateframework.io/
|
|
|
|
[root keys]: https://github.com/sigstore/root-signing
|
|
|
|
|
|
|
|
* [Bob Callaway][] (Google)
|
|
|
|
* [Dan Lorenc][] (Google)
|
|
|
|
* [Luke Hinds][] (RedHat)
|
|
|
|
* [Marina Moore][] (NYU)
|
|
|
|
* [Santiago Torres][] (Purdue)
|
|
|
|
|
|
|
|
[Luke Hinds]: https://github.com/lukehinds
|
|
|
|
[Marina Moore]: https://github.com/mnm678
|
|
|
|
[Santiago Torres]: https://github.com/SantiagoTorres
|
|
|
|
[Bob Callaway]: https://github.com/bobcallaway
|
|
|
|
|
|
### Other caveats
|
|
### Other caveats
|
|
|
|
|
... | | ... | |