Where Do I Sign? Step-by-step Sigstore Adoption
These Supply Chains Ain’t Gonna Secure Themselves
Signing and verifying your code, build system, and artifacts is one of the most effective mitigations you can take against supply chain security attacks. Sigstore provides the open source community with free infrastructure for code signing, in the spirit of LetsEncrypt, but for code signing. Using Sigstore, we can iteratively improve our supply chain security, starting with signed attestations and moving toward signed provenance to protect the build.
Where Do I Sign?
With Sigstore there are multiple places you can sign your artifacts:
You can sign commits to your code repository
You can sign from the build system to provide build provenance
You can sign production container images, blobs,or artifacts
But there isn’t much guidance on which of these you should start with on your journey toward a more secure supply chain. As with most things, “it depends”, on your threat model and what you’re trying to protect.
Ranging from simple to complexity of adoption, we can employ git signing. Then we can level up to signing build artifacts. Lastly, we can focus on protecting the build system itself.
Commit Signing
If you want to protect your codebase from tampering or impersonation, you can verify the authenticity of the developer commits using git signing. Sigstore’s gitsign package enables developers to sign git commits without managing any keys or depending on PGP. Signing commits initiates an OIDC flow to authenticate using the same identity provider you use for SSO. These credentials are then used to sign the commit and store the certificate in the rekor transparency log for verification.
Signing Build Artifacts
Deploying untrusted artifacts in your production environment is akin to picking up gum off the street and deploying it to your prod environment. (Is that how the analogy works?)
If you want to protect your production environment from running untrusted or malicious container images, you can sign artifacts and store the attestations right next to your container images, in whatever registry you’re already using. Chainguard Enforce provides continuous verification for all container images running across your fleet of Kubernetes clusters with our Enforce agent, or new agent-free mode!
Build Provenance and Attestation
Build systems should be treated like production systems, which means they should provide suitable logging and attestation for everything they build.
If you’re mitigating attacks on your build system (Open Source projects take note), you’ll want to provide provenance for your builds and sign the provenance with Sigstore. Depending on the build system you’re using, you can integrate with Sigstore to sign and upload evidence of the build provenance to protect downstream users against supply chain attacks like the SolarWinds attack.
GitHub Actions, Tekton, and other build systems are capable of providing build provenance via in-toto attestations natively. However, some build systems (notably Jenkins) are widely in use and don’t have support for build provenance. For these environments, we recommend having Jenkins handle testing while the building of any production artifacts is handled by a build system that generates verifiable build attestations.
Holistic Supply Chain Security
But how do you defend against attacks on your code repository, build system, and production images? You can use Sigstore in all 3 places! This provides comprehensive protection from code commits, to build system verification, all the way to container images at runtime. Sigstore allows you to iteratively make improvements to your supply chain, meeting you where you’re at and leading you toward a trusted supply chain.
If you’d like help on your software supply chain journey, the experts at Chainguard are here to help!
Share this article
Related articles
- Open Source
Fork Yeah: We’re Bringing Kaniko Back
Chainguard is taking over the maintenance of the Kaniko project, recently deprecated by Google. Learn more about why we're doing it and what is next.
Priya Wadhwa, Senior Engineering Manager, Kim Lewandowski, Co-founder & CPO, and Dan Lorenc, Co-founder & CEO
- Open Source
Guardcraft: A Minecraft Java Server with Zero CVEs
We built a Minecraft Java server using a Chainguard Image, resulting in zero CVEs and a whole lot of fun!
Erika Heidi, Staff Developer Experience Engineer
- Open Source
Wolfi: a new paradigm in Linux for containers
Wolfi is a Linux distribution built specifically for containerized applications. See how it can speed up your development process.
Erika Heidi, Developer Experience Engineer
- Open Source
Kubeburned out? Navigating the world of Kubernetes without losing your spark
Want to contribute to Kubernetes but don't know where to start? Learn how to do it in a sustainable way.
Carlos Panato, Staff Software Engineer and Sascha Grunert, Senior Software Engineer, Red Hat
- Open Source
Unlocking efficiency and security on GitLab: On-demand images with 0-CVE packages powered by Wolfi
Experience secure, efficient GitLab operations with 0-CVE on-demand images, fueled by Wolfi OS.
Batuhan Apaydin and Furkan Türkal
- Open Source
VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX
Open source vulnerability scanner Grype has added support for OpenVEX, making software supply chain security easier. Learn how to implement it today.
Adolfo Veytia, Alex Goodman, Dan Luhring, and John Speed Meyers