[HN Gopher] Sigstore: Making sure your software is what it claim...
___________________________________________________________________
Sigstore: Making sure your software is what it claims to be
Author : saikatsg
Score : 23 points
Date : 2025-01-21 20:34 UTC (2 hours ago)
(HTM) web link (www.sigstore.dev)
(TXT) w3m dump (www.sigstore.dev)
| linkregister wrote:
| Has anyone implemented this end-to-end? This seems production
| ready for smaller shops where it's feasible for developers to
| sign artifacts individually. For a system where you'd want CI to
| publish artifacts, and then use the k8s policy controller to only
| run verified artifacts, it seems incomplete.
|
| It appears the reason to include this system in a toolchain would
| be to meet compliance requirements, but even the GCP, AWS, and
| Azure implementations of artifact signing & verification are in
| beta.
| arccy wrote:
| yes, i've implemented it in multiple companies. cosign supports
| using generated keys and kms services, that's been pretty
| stable and usable for a long time. keyless signing is different
| and you need to think a bit more carefully about what you're
| trusting.
| rough-sea wrote:
| JSR supports sigstore https://jsr.io/docs/trust
| djhn wrote:
| Somewhat adjacent question: are there people working on ways to
| verify that a particular server or API backend are running the
| specific signed release that is open sourced? Can a company
| somehow cryptographically prove to its users that the running
| build is derived from the source unmodified?
| cperciva wrote:
| You can do this with e.g. EC2 enclaves. Of course that's kind
| of begging the question, since you need to trust the enclaves.
| formerly_proven wrote:
| That's what remote attestation in Intel SGX does. There's
| similar features in other platforms as well.
| shortsunblack wrote:
| See Keylime for this.
___________________________________________________________________
(page generated 2025-01-21 23:00 UTC)