sigstore-java, currently under development but not yet ready for general use, is a tool for signing and verifying Java package distributions using Sigstore’s keyless signing. This is another step Sigstore is taking towards securing the software supply chain.
Sigstore signing enables software developers to securely sign software artifacts such as release files, container images, and binaries. These signatures are then stored for free in a tamper-resistant public log.
As a refresher, the Sigstore ecosystem consists of:
For signing, verifying and storing containers in an Open Container Initiative (OCI) registry, making signatures an invisible infrastructure.
A built-in transparency and timestamping service, Rekor records signed metadata in a ledger that can be searched, but not tampered with.
- Open ID Connect
A layer of identity that checks that you are who you say you are. It allows customers to request and receive information about authenticated sessions and users.
A free root certificate authority, which issues temporary certificates to an authorized identity and publishes them in the Rekor transparency log.
- Certificate Authority
A mechanism that generates certificates, binds cryptographic keys to an identity, and performs an independent check of an artifact’s information.
- Trust the root
The foundation of trust behind the whole of sigstore, our key holders and practices to protect the root keys.
The sigstore-java client library under development will provide a native Java implementation for the signing and verification services.
The intuition is that the OSSRH, aka Maven Central, plans to replace its legacy PGP-based system for signing Java distributions with that of Sigstore. The old way, while working, mainly had its own problems:
As with other registries, the value of these signatures is not actually realized due to shortcomings in the public key infrastructure, developer tooling, and no existing developer chain of trust.
Sigstore is designed to solve these problems with elegance and runtime features that are especially attractive in common Java development and CI environments.
The migration process from PGP to Sigstore is divided into several steps:
- Phase 0 – Maven Central has traditionally required a PGP signature for all uploaded artifacts.
That requirement is removed for Sigstore signature artifacts.
- Phase 1 — Include Sigstore signature verification in Maven Central repository pre-release checks. The supported workflows are:
artifact set + PGP signature + Sigstore signature
artifact set + PGP signature
artifact set + Sigstore signature
All provided cryptographic signatures are verified in all workflows.
- Phase 2 and beyond — Verification
To make it easier to sign and publish to Maven Central, the signing activity is included in Java’s build tools
Maven and Gradle. Gradle versions 7.3 or later are intended to support Sigstore signing, while verification requires version 8.2+.
As for Maven, there is already the Maven Sigstore plugin that supports generating and publishing Sigstore signatures to Central. The work done on the repository will eventually collapse into the Sigstore Java project.
We are, of course, talking about signing the final result, the build. But what about starting from the bottom of the entire chain all the way to the build? Sigstore also has an answer to that with GitSign. As explored in “Protect the Software Supply Chain with Gitsign”:
Since everyone is on Git, what better way to start signing the first artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries, there was nothing for signing git commits. This is about to change with Gitsign, which allows you to keyless sign your commits using your GitHub/OIDC identity.
Not only does this relieve you of the burden of managing the keys yourself, it also solves the issue of those keys often being written into the source of the repo itself, effectively canceling the signing process.
So when you sign commits as usual with git commit -S, your browser will now redirect through the Sigstore’s Keyless flow to authenticate and sign the commit. I say like “usual” since GitHub already offered signing commits with SSH keys and x509 certificates that bore the cost of managing the keys. Gitsign now removes this need.
Of course, there is much more to do when it comes to securing the supply chain and the latest ChainGuard “SLSA++ A Survey of Software Supply Chain Security” takes a closer look at how the industry is adopting best practices. For extensive commentary, check “Surveying Software Supply Chain Security”.
Surveying Software Supply Chain Security
Protect the software supply chain with Gitsign
Does Sigstore really secure the supply chain?
Sigstore Reaches General Availability