diff --git a/SECURITY.md b/SECURITY.md index fe1e76dd17..197824b4f3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -28,14 +28,14 @@ vendor to reduce surface area. ## Native Security Verification -mise provides **native Rust implementation** for security verification of tools, eliminating the need for external dependencies like `cosign`, `slsa-verifier`, or `gh` CLI tools. This applies to tools using the aqua backend. +mise provides **native Rust implementation** for security verification of tools, eliminating the need for external dependencies like `cosign`, `slsa-verifier`, `minisign`, or `gh` CLI tools. This applies to tools using the aqua backend. ### Supported Verification Methods -- **Cosign signatures**: Native keyless and key-based signature verification -- **SLSA provenance**: Native verification of Supply-chain Levels for Software Artifacts (SLSA) attestations -- **GitHub Artifact Attestations**: Native verification of GitHub's artifact attestation system -- **Minisign verification**: Uses the `minisign` CLI tool (external dependency) +- **Cosign signatures**: Keyless and key-based signature verification +- **SLSA provenance**: Verification of Supply-chain Levels for Software Artifacts (SLSA) attestations +- **GitHub Artifact Attestations**: Verification of GitHub's artifact attestation system +- **Minisign verification**: Verification of minisign signatures - **Checksum verification**: Always enabled for supported backends ### Configuration diff --git a/docs/dev-tools/backends/aqua.md b/docs/dev-tools/backends/aqua.md index d525b10830..b47fcad78f 100644 --- a/docs/dev-tools/backends/aqua.md +++ b/docs/dev-tools/backends/aqua.md @@ -2,8 +2,7 @@ [Aqua](https://aquaproj.github.io/) tools may be used natively in mise. aqua is the ideal backend to use for new tools since they don't require plugins, they work on windows, they offer security -features like cosign/slsa verification in addition to checksums. aqua installs also show more progress -bars, which is nice. +features in addition to checksums. aqua installs also show more progress bars, which is nice. You do not need to separately install aqua. The aqua CLI is not used in mise at all. What is used is the [aqua registry](https://github.com/aquaproj/aqua-registry) which is a bunch of yaml files that get compiled into the mise binary on release. @@ -110,7 +109,7 @@ export MISE_AQUA_SLSA=true Aqua also supports: -- **Minisign verification**: Uses minisign for signature verification (requires minisign CLI) +- **Minisign verification**: Uses minisign for signature verification - **Checksum verification**: Verifies SHA256/SHA512/SHA1/MD5 checksums (always enabled) ### Verification Process diff --git a/docs/dev-tools/comparison-to-asdf.md b/docs/dev-tools/comparison-to-asdf.md index 0934970fe1..0eb6bd060b 100644 --- a/docs/dev-tools/comparison-to-asdf.md +++ b/docs/dev-tools/comparison-to-asdf.md @@ -63,7 +63,7 @@ feel like defeats the purpose of having a dedicated org in the first place. By t would like for there to no longer be any asdf plugins in the registry that aren't owned by me. I've also been adopting extra security verification steps when vendors offer that ability such as -gpg verification on node installs, and native SLSA/Cosign/GitHub attestation verification for aqua tools. +gpg verification on node installs, and native Cosign/SLSA/Minisign/GitHub attestation verification for aqua tools. ## UX @@ -152,7 +152,7 @@ that provide the underlying tool. Where possible, mise does not use asdf plugins and instead uses backends like aqua and ubi which do not require separate plugins. -Aqua tools include native cosign/SLSA/GitHub attestation verification built into mise. +Aqua tools include native Cosign/SLSA/Minisign/GitHub attestation verification built into mise. See [SECURITY](https://github.com/jdx/mise/blob/main/SECURITY.md) for more information. ## Command Compatibility diff --git a/docs/tips-and-tricks.md b/docs/tips-and-tricks.md index 472c69a826..cb0fe3e726 100644 --- a/docs/tips-and-tricks.md +++ b/docs/tips-and-tricks.md @@ -128,7 +128,7 @@ Don't do this inside of scripts because mise may add a command in a future versi ## Software verification -mise provides **native software verification** for aqua tools without requiring external dependencies. For aqua tools, cosign signatures, SLSA provenance, and GitHub attestations are verified automatically using mise's built-in implementation. +mise provides **native software verification** for aqua tools without requiring external dependencies. For aqua tools, Cosign/Minisign signatures, SLSA provenance, and GitHub attestations are verified automatically using mise's built-in implementation. For other verification needs (like GPG), you can install additional tools: @@ -145,6 +145,7 @@ To configure aqua verification (all enabled by default): export MISE_AQUA_COSIGN=false export MISE_AQUA_SLSA=false export MISE_AQUA_GITHUB_ATTESTATIONS=false +export MISE_AQUA_MINISIGN=false ``` ## [`mise up --bump`](/cli/upgrade.html)