Draft: Adding a first early draft on handling of digital signatures #21
Conversation
Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
signatures/signature.md
Outdated
| @@ -0,0 +1,108 @@ | |||
| # Trusting digital signatures in TEA | |||
|
|
|||
| Software transparency is a lot about trust. Within the | |||
There was a problem hiding this comment.
Trust is a human determination about software. Is software transparency not about trustworthiness?
There was a problem hiding this comment.
I will rephrase this... Thanks for the feedback.
| or set up an internal solution. The issue with that is that external | ||
| parties do not automatically trust that internal PKI. | ||
|
|
||
| This document outlines a proposal on how to build that trust and |
There was a problem hiding this comment.
The above statements imply that the publisher controls one or more pairs of asymmetric keys, but that is not immediately clear from lines 20 to 27. Who is to sign the BOM if the party uploading the BOM or related artifacts is not the original publisher of the software?
(FYI: For this reason, a related IETF standard talks about Issuer as a key role in their architecture; the publisher of software is not always the Issuer as defined by the IETF SCITT WG, and vice versa.)
There was a problem hiding this comment.
I think signing has to be optional. But the question of a third party that publishes something is a bit out of scope for our work, while I understand it is part of SCITT. I will consider this and see what can be done.
signatures/signature.md
Outdated
| ## Digital signatures | ||
|
|
||
| ### Digital signatures as specified for CycloneDX | ||
| "Digital signatures may be applied to a BOM or to an assembly within a BOM. |
There was a problem hiding this comment.
Is the intention here that you would have digital signatures for individual inline assemblies and the overall package that composes them? I tried reviewing the CycloneDX documents and this specification but that sounds like it can get complex very quickly.
There was a problem hiding this comment.
I just quoted the text from the CycloneDX specs. Agree that it may feel messy, but it may have a point as you can include attestations, patches and much more in a CycloneDX BOM.
There was a problem hiding this comment.
Personally I do like detached signatures :-)
|
|
||
| ## Using Sigstore for signing | ||
|
|
||
| Sigstore is an excellent free service for both signing of GIT commits as well |
There was a problem hiding this comment.
Is it the responsibility of the Transparency API described in this specification to compute and verify such hashes from external sources like Sigstore and/or elsewhere?
There was a problem hiding this comment.
That is a good question. I think validation primarily is when someone downloads artefacts. But it can of course also apply to publication - a server implementation may not accept signed documents that the server can not validate. Good question.
There was a problem hiding this comment.
With OCI (Docker) images the producer generates and uploads the signature to the registry alongside the image artifact using the cosign utility. The consumer also uses cosign to verify the signature against the Sigstore transparency log. It is not a super-streamlined experience, but it beats fiddling with PGP any day 😄
|
I like the way this proposal aims to automate the verification of signatures of published artifacts. We regularly receive requests from users that wish to verify the artifact signatures we publish on Maven Central. I have however a couple of concerns:
|
|
Supporting GPG signatures is good for backwards compatibility but do we want to put that implementation burden on new implementations, which this will be? Food for thought. Being able to add upstream trust anchors is a very good idea. |
The availability of PGP trust anchors is the main reason PyPI removed signatures from their repository: https://blog.pypi.org/posts/2023-05-23-removing-pgp/ I don't think we should require the support of the OpenPGP format, but we might allow users to publish the public keys as X509 certificates and mark their usage as "Maven only", "PyPI only", etc. |
Co-authored-by: A.J. Stein <[email protected]> Signed-off-by: Olle E. Johansson <[email protected]>
|
Moved discussions on PGP to a separate issue |
Signed-off-by: Paul Horton <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
…ference Type Closes CycloneDX#23 Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
Based on discussions in CycloneDX#24 there is a need to add use cases documentation for various deliverables that need a TEI Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
Signed-off-by: Olle E. Johansson <[email protected]>
|
Added a clarification that digital signatures are optional. It may not be in future versions of the API, but we have to start somewhere. |
| @@ -104,7 +104,7 @@ Append the product part of the TEI to the URI found | |||
|
|
|||
| - TEI: `urn:tei:uuid:products.example.com:d4d9f54a-abcf-11ee-ac79-1a52914d44b1` | |||
| - DNS record: `_tei._tcp.products.example.com` | |||
| - URI in DNS: `://www.example.com/transparency/` | |||
| - URI in DNS: `https://www.example.com/transparency/` | |||
| - URL: `https://www.example.com/transparency/d4d9f54a-abcf-11ee-ac79-1a52914d44b1/` | |||
|
|
|||
| If no DNS URI records are found the resolution defaults to A and AAAA records. | |||
| validated. | ||
|
|
||
| Within the | ||
| API documents can be signed with an electronic |
There was a problem hiding this comment.
| API documents can be signed with an electronic | |
| API, documents can be signed with an electronic |
|
|
||
| Within the | ||
| API documents can be signed with an electronic | ||
| signature. CycloneDX boms supports signatures within |
There was a problem hiding this comment.
| signature. CycloneDX boms supports signatures within | |
| signature. CycloneDX Documents support [signatures](https://cyclonedx.org/use-cases/#authenticity) within |
| Within the | ||
| API documents can be signed with an electronic | ||
| signature. CycloneDX boms supports signatures within | ||
| the JSON file, but other artefacts may need external |
There was a problem hiding this comment.
| the JSON file, but other artefacts may need external | |
| the JSON and XML files, but other artefacts may need external |
| the JSON file, but other artefacts may need external | ||
| signature files, a detached signature. | ||
|
|
||
| - __Integrity__: Documents dowloaded needs to be the same |
There was a problem hiding this comment.
| - __Integrity__: Documents dowloaded needs to be the same | |
| - __Integrity__: Documents dowloaded must be the same |
| - __Integrity__: Documents dowloaded needs to be the same | ||
| as documents published | ||
| - __Identity__: | ||
| - Customers need to be able to verify the |
There was a problem hiding this comment.
| - Customers need to be able to verify the | |
| - Customers need to be able to verify the identity of the |
| ## API trust | ||
|
|
||
| The TEA API is built on the HTTP protocol with TLS encryption | ||
| and authentication, using the https:// URL scheme. |
There was a problem hiding this comment.
| and authentication, using the https:// URL scheme. | |
| and authentication, using the `https://` URL scheme. |
| PEM-encoded certificates in one single text file. | ||
|
|
||
| The TEA API has a `/trust-anchors/` API that will download | ||
| the current trust anchor APIs. This file is not signed, |
There was a problem hiding this comment.
the current trust anchor APIs. This file is not signed,
Is APIs the correct word here @oej ?
Trying to gather thoughts on digital signatures in the TEA collections and for TEA artefacts.
Feedback is always welcome!