[Resource Topic] 2023/003: How to Use Sigstore without Sigstore

Welcome to the resource topic for 2023/003

Title:
How to Use Sigstore without Sigstore

Authors: Yan-Cheng Chang

Abstract:

Sigstore is a Linux Foundation project aiming to become the new standard for signing software artifacts. It consists of a free certificate authority called Fulcio, a tamper-resistant public log called Rekor, and an optional federated OIDC identity provider called Dex, where Rekor also acts as the timestamping service. Several command line interfaces (CLIs), written in different languages, are available to interact with it for signing software artifacts.

Ironically, we will show in this paper the design of Sigstore eliminates the need of Sigstore, i.e., the key components mentioned above are inessential. Specifically, we will first show how to remove the dependency on Fulcio from existing CLIs while keeping the CLIs work. Next, we will show how to remove the dependency on Rekor from the CLIs. Last, we will explain why relying on Dex, an optional black box with too much power, should be avoided.

As none of Fulcio, Rekor, and Dex is essential to making existing CLIs work, we conclude that they are unnecessary trusted third parties which the open source community should avoid employing. Instead, existing CLIs can be easily adapted to remove the dependency on them while providing the same functionality and user experience. The design of Sigstore is an example of solving a problem with a method which requires the solution as the input.

ePrint: https://eprint.iacr.org/2023/003

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .