Not all that’s signed is secure: Verify the right way with TUF and Sigstore

Zachary Newman, Principal Research Scientist and Marina Moore (NYU)
  •  
February 8, 2023

At the inaugural CloudNativeSecurityCon in Seattle, former Chainguard intern Marina Moore (PhD candidate at NYU) and Chainguard research scientist Zack Newman took to the stage to present their talk:

"Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore” on how the Sigstore and The Update Framework (TUF) open source projects can be used to create verification policies to secure software supply chains of all shapes and sizes.

Key Takeaways

  • Software signing helps with an important (but not exhaustive) class of supply chain attacks.
  • Even then, verifying the wrong way can render your signing scheme useless: just “signing” isn’t sufficient.
  • It’s tricky to create the right verification policy, which tells you how to verify, because of the potential of subtle attacks; The Update Framework (TUF) is a great way to build smart-but-flexible verification policies for your needs.
  • TUF and Sigstore are a match made in heaven: easy signing, with rigorous verification policies.

To learn more, please watch the talk, check out the slide deck, and get involved with the Sigstore and TUF projects. Not ready to build your own verification policies from scratch? Chainguard Enforce has built-in support for verification policies that support TUF and Sigstore, and any other policies for securing your software supply chain.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Engineering

Not all that’s signed is secure: Verify the right way with TUF and Sigstore

Zachary Newman, Principal Research Scientist and Marina Moore (NYU)
February 8, 2023
copied

At the inaugural CloudNativeSecurityCon in Seattle, former Chainguard intern Marina Moore (PhD candidate at NYU) and Chainguard research scientist Zack Newman took to the stage to present their talk:

"Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore” on how the Sigstore and The Update Framework (TUF) open source projects can be used to create verification policies to secure software supply chains of all shapes and sizes.

Key Takeaways

  • Software signing helps with an important (but not exhaustive) class of supply chain attacks.
  • Even then, verifying the wrong way can render your signing scheme useless: just “signing” isn’t sufficient.
  • It’s tricky to create the right verification policy, which tells you how to verify, because of the potential of subtle attacks; The Update Framework (TUF) is a great way to build smart-but-flexible verification policies for your needs.
  • TUF and Sigstore are a match made in heaven: easy signing, with rigorous verification policies.

To learn more, please watch the talk, check out the slide deck, and get involved with the Sigstore and TUF projects. Not ready to build your own verification policies from scratch? Chainguard Enforce has built-in support for verification policies that support TUF and Sigstore, and any other policies for securing your software supply chain.

Related articles