-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider endorsing/using Sigstore #642
Comments
Thanks for raising this @BethGriggs , sure we are happy to come onto a call or we can take questions in here, whichever the community prefers. |
There's a presentation https://www.youtube.com/watch?v=3LKHKpcH2x8 |
I have been exploring the feasibility of utilizing Sigstore tooling for signing Node.js binaries (with initial assistance from @lukehinds). While there are some potential benefits, from my exploration there are also tradeoffs to consider such as:
I believe it is important to reflect on the fundamental problems we are seeking to address and whether Sigstore tooling helps us to solve them. I've heard various community members suggest for us to adopt Sigstore tooling - I'm curious to hear the origins of those suggestions. So, my main ask is:
Anyone with an interest, please free to review this Sigstore for Node.js binaries document. The current state of that document is somewhere between a personal scratch-pad of notes and an evolving proposal draft. I hope for that document to eventually help us converge on a decision or outcome of whether we feel Sigstore would add value for the Node.js project to adopt (or not). cc groups that may have opinions: @nodejs/release, @nodejs/build, @nodejs/tsc I'm going to add this to the issue description so it's not as buried. |
cc :@nodejs/security-wg |
Proposal/Exploration document: Sigstore for Node.js binaries
I believe it is important to reflect on the fundamental problems we are seeking to address and whether Sigstore tooling helps us to solve them. I've heard various community members suggest for us to adopt Sigstore tooling - I'm curious to hear the origins of those suggestions. So, my main ask is:
While there are some potential benefits, from my exploration there are also tradeoffs to consider such as:
Anyone with an interest, please free to review this Sigstore for Node.js binaries document. The current state of that document is somewhere between a personal scratch-pad of notes and an evolving proposal draft. I hope for that document to eventually help us converge on a decision or outcome of whether we feel Sigstore would add value for the Node.js project to adopt (or not).
cc groups that may have opinions: @nodejs/release, @nodejs/build, @nodejs/security, @nodejs/tsc
Initial suggestion
Chatting with some of the folks working on Rekor (https://rekor.dev/get_started/), they've suggested that it might be something we wish to explore/endorse for Node.js releases.
I will likely not explain it as well as the Rekor folks, but the ledger would be a source of truth for the URL, SHA, Public Key, and Signature of our releases that users can validate against. I believe there is also alerting we could set up - for example, if an old/previous release key was used to sign a release.
They have offered to give us an overview if there's interest. I also believe they've prototyped a ledger for Node.js releases.
cc: @nodejs/build
also cc (from rekor): @bobcallaway @dlorenc @lukehinds
The text was updated successfully, but these errors were encountered: