Oh The Places You'll Sign.pdf

1. John Osborne
josborne@chainguard.dev
@CloudLvlMidnite
How Sigstore Accelerates a Software Supply Chain Journey
https://chainguard.dev
Oh The Places You’ll Sign

2. What Is Software Supply Chain Security?
“Software supply chain attacks occur when the
materials or processes of producing software
are themselves compromised, resulting in
vulnerabilities targeting downstream consumers
of the software produced”

3. Limited Visibility Into Our Dependencies
App
Your dependencies likely have CRITICAL CVEs (Source: deps.dev)

4. Limited Visibility Into Source and Build Requirements
“There’s currently no guarantee that a package on npm is built from the same source code that’s published”
- Justin Hutchings, GitHub Director of Product Management
Can the source
code history be
verified?
Can the build system be
verifiably linked back to
source control?

5. Building Transparency In The Software Supply Chain

6. Generate A Supply Chain Data Layer
Foundation for Supply Chain Transparency
Attestations
Signed metadata (typically
how artifact was
produced)
List of ingredients that
make up the software
components
Standard for signing and
verifying software integrity

7. sigstore
Making sure your software’s what it
claims to be
A new standard for signing, verifying and protecting
software.
Great UX is fundamental to adoption.
Modern ‘keyless’ signing removes painful key
management.

8. Sigstore, a new standard for signing, verifying and protecting software
● Key Pieces:
○ Cosign: sign things
○ Fulcio: sign things using short lived certs
● Rekor: verify & monitor (transparency log)
● All cryptographically verifiable, auditable,
community operated
● Sigstore community hosts a free shared
public-good instance

9. Key Automation

10. Signing and Verifying
(also git commits - more later)
Images $ cosign sign josborne/myimage
Blobs $ cosign sign-blob ./myblob
Attestations $ cosign attest josborne/myimage --predicate ./att.json
SBOMs $ cosign attest josborne/myimage --predicate ./sbom
Images $ cosign verify josborne/myimage
Blobs $ cosign verify-blob ./myblob
Attestations $ cosign verify-attestation josborne/myimage
SBOMs $ cosign verify-attestation josborne/myimage

11. cosign demo

12. What do signatures guarantee?
● Signatures give you evidence that:
○ What you signed hasn’t changed
○ It came from the producer that signed it
● We want to sign our software
○ Artifacts (.jars, container images)
○ Git Commits
● We want to sign our supporting docs
○ SBOMs
○ Attestations

13. Software Bill of Materials (and friends)
Component 1
Component 2
Component 3
License 1
AFFECTED NOT AFFECTED
FIXED
UNDER
INVESTIGATION
My
Product
Vulnerability Exploitability eXchange

14. DENCE
Attestations
A software attestation is a signed statement (metadata)
about a software artifact
● Makes it possible to write automated policies that
take advantage of structured metadata
● Fits into the SLSA Framework
EVIDENCE

15. Common Attestations
How it was Built (Provenance)
ko attests to the fact that it built a
container image with digest
"sha256:87f7fe…" from git
commit "f0c93d…"
How it was Tested
GitHub Actions attests to the
fact that the npm tests passed
on git commit "f0c93d…".
What Security Scans it Passed
GitHub Actions attests to the fact that
no vulnerabilities were found in
container image "sha256:87f7fe…" at a
particular time using a scanning tool

16. Sigstore Provides Integrity for Attestations
sign
sign & verify
continuous verification
SLSA
NIST SSDF
CIS Benchmarks

17. SLSA Level 1
SLSA
SLSA Level 1
● Scripted Builds
● Provenance Available
SLSA Level 1 Attestation Example

18. SLSA Level 2
SLSA
SLSA Level 2 Attestation Example
Verify
SLSA Level 2
● Use a Build Service
● Sign & Verify Provenance
Sign Verify Signature

19. Verify Attestation
SLSA Level 3
SLSA
SLSA Level 3 Attestation Example
Verify
SLSA Level 3
● Build As Code
● Non-Falsifiable Provenance
● External KMS
Sign

20. Verify
SLSA Level 4
SLSA
SLSA Level 4 Attestation Example
Verify
SLSA Level 4
● Reproducible Build
● Provenance of Transitive Deps
Sign

21. Verify Kim
SLSA Level 4 Code Review
SLSA
Verify
Dan Signs
Kim Signs
Verify Dan

22. ❏ Ensure verification of signed commits for new changes before merging
❏ Ensure all artifacts on all releases are signed
❏ Ensure pipeline steps sign the SBOM produced
❏ Ensure signed metadata of the build process is required and verified
❏ Ensure a signed SBOM of the code is supplied
❏ Ensure all artifacts are signed by the build pipeline itself
❏ Ensure all signed artifacts are validated upon uploading the package registry
❏ Ensure all versions of an existing artifact have their signatures validated
Supply Chain Security Guide
CIS Benchmarks

23. Secure Software Development Framework NIST SSDF
❏ Evaluate tools’ signing capabilities to create immutable logs for auditability
❏ Use commit signing for code repositories
❏ Use code signing to help protect the integrity of executables
❏ Confirm the integrity through digital signatures
❏ Post cryptographic hashes for release files on a well-secured website
❏ Protect the integrity of provenance data
❏ Provide a way for recipients to verify provenance data integrity
❏ Automatically review provenance and software composition data
❏ Make the provenance data available to the organization’s operations and response teams

24. Gitsign
“Keyless” git commit signing with Sigstore
● Sign with git commit -S
● Sign every commit by default (optional)
Meet SLSA Verified-History
& Two-Person Review Reqs
github.com/sigstore/gitsign

25. gitsign demo

26. Let’s Make Informed Risk Management Decisions
Supply chain metadata allows you to make
policy decisions, events, alerts, etc based on
your security posture

27. Free Sigstore Training
https://blog.chainguard.dev/get-started-with-sigstore-free-course/