You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-2
Original file line number
Diff line number
Diff line change
@@ -257,8 +257,18 @@ jobs:
257
257
sarif_file: results.sarif
258
258
```
259
259
## Verifying the Authenticity and Integrity of Scorecard Results
260
+
The scorecard system uses several components from [sigstore](https://github.com/sigstore) to ensure tamper-resistant results. These components include cosign, fulcio, and rekor.
260
261
261
-
This diagram illustrates how Scorecard validates the authenticity and integrity of the results it produces.
262
+
Cosign helps to sign the scorecard action results with a cryptographic signature and stores the hash in a tamper-proof store called rekor, which uses technology based on Merkel trees (a specific type of data structure used in blockchain systems).
263
+
264
+
Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates.
265
+
266
+
Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the scorecard system.
267
+
268
+
You can learn more about Merkel trees at this link: https://en.wikipedia.org/wiki/Merkle_tree
269
+
270
+
271
+
This diagram illustrates how Scorecard validates the authenticity and integrity of the results it produces.This process allows the repository owner to verify the authenticity and integrity of the scorecard results and make them available for others to access and use.
262
272
263
273
```mermaid
264
274
sequenceDiagram
@@ -275,4 +285,3 @@ api.securityscorecards.dev->>Scorecard action: Return status
275
285
1. The cosign library, which is embedded in the Scorecard action, signs and stores a hash of result.json file in the `rekor.sigstore.dev` service.
276
286
1. The result.json file is posted to the `api.securityscorecards.dev` service.
277
287
1. The `api.securityscorecards.dev` service validates the authenticity of the results with `rekor.sigstore.dev` before storing the results.
278
-
1. This process allows the repository owner to verify the authenticity and integrity of the scorecard results and make them available for others to access and use.
0 commit comments