The Linux Foundation's "sigstore" project [LWN.net]

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 23:50 UTC (Wed) by shemminger (subscriber, #5739)
In reply to: The Linux Foundation's "sigstore" project by fwiesweg
Parent article: The Linux Foundation's "sigstore" project

The recent SolarWinds attack happened in the infrastructure, and was caused by trusting the signature.
How would this help that threat model? Or would it introduce a false sense of trust?

to post comments

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 7:20 UTC (Thu) by fwiesweg (guest, #116364) [Link]

So SolarWinds would have been prevented by trusting a non-signed package? I doubt it. Additionally, I don't think analyzing that unsigned package bit for bit is realistic, either, nobody has time for that and most organizations out there lack the required skill set. It happened despite the signature, not because of it.

Like everything we do, security-related work is iterative in nature and this is but a single building stone to secure the supply chain. Further steps are required and might include many things, from reviewed packages (signed by the reviewers, too), automatic content analyses (so packages are signed by those systems, too), etc., but there'd be no point in all of that if you can't even guarantee that the sources package arrives on your disk without having been tampered with somewhere between you and the maintainer/reviewer. So something like sigstore is a first and necessary, but in itself still insufficient step.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 7:51 UTC (Thu) by LtWorf (subscriber, #124958) [Link]

I think this is more for clueless projects like yarn that when the repository key expires just make a new one.

No thought about making a keyring package and use it to introduce the new key before the old one expires.

https://github.com/yarnpkg/yarn/issues/7866