Jul 17, 2022

Written by Zachary Newman

Is Sigstore Ready for a Post-Quantum World?

Photo by Anton Maksimov 5642.su on Unsplash A couple of weeks back, NIST made big news in the cryptographic community by announcing that they have selected four quantum-resistant encryption and digital signature algorithms for standardization. In recent years, worries about the threats that quantum computers pose to current encryption algorithms have precipitated a major effort to establish a “post-quantum” (PQ) cryptographic toolkit. NIST’s 99-page full report, which reflects six years of work by a group of expert cryptographers details the algorithms and their performance and security characteristics However, the report omits the answer to the question on every Sigstore user’s mind: is Sigstore ready for a post-quantum world?

Tags:  sigstorenistpostquantumcryptography

May 30, 2022

Written by Luke Hinds

sigstore, blockchain vs transparency logs

Co-authored by Luke Hinds (Red Hat) and Prof Santiago Torres-Arias (Purdue University). Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. *“Why did you chose to use a transparency log and not a blockchain?”* We get this question often, so we figured it’s best to address this head on. It could be best summarised as *‘why would we use blockchain?*’ as opposed to ‘*why did we not use blockchain?

Tags:  sigstoreblockchaindevsecops

May 28, 2022

Written by Zachary Newman

Privacy in Sigstore

Photo by Tim Mossholder on Unsplash By default, the keyless signing flow for Sigstore exposes a user’s email: $ rekor-cli search --email zack@example.com \ # not my real email! | wc -l Found matching entries (listed by UUID): 112 Specifically, a user logs in to Fulcio with OIDC. Fulcio issues a short-lived certificate with the SAN set to your email address as reported by the OIDC identity provider, even if your email is not typically exposed on that service itself (for instance, your GitHub email will be exposed, even though it’s not generally public).

Tags:  sigstoreprivacysoftwaresupplychainsupplychainsecurity

Apr 25, 2022

Written by developer-guy

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity

Securing our software supply chains has become more critical with the rise of software supply chain attacks. Also, over the past few years, container adoption has increased too. In the light of these pieces of information, it has grown the need to sign container images to help prevent supply chain attacks. In addition, most of the containers we are using today, even if we use them in production environments, are vulnerable to supply chain attacks.

Tags:  sigstorecosignworkloadidentitykmskyverno

Apr 25, 2022

Written by Zachary Newman

Don’t Panic: A Playbook for Handling Account Compromise with Sigstore

Photo by Tonik on Unsplash Despite your best efforts, you may no longer trust artifacts, keys, or identities when signing software. A container might turn out to have vulnerabilities, a key might be lost, or worse: a trusted account could be compromised. There’s a myth that Sigstore makes revocation harder; in fact, the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation.

Tags:  sigstorecosignincidentresponsesupplychainsecurity