-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📖 Verifying the Authenticity and Integrity of Scorecard Results #1058
Conversation
58bfa47
to
666d76b
Compare
5a872a4
to
634e2b3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few suggestions!
63b7e2b
to
0c06f2d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor changes, LGTM
Thanks @olivekl for making it better! Appreciate the detailed feedback and suggestion! |
- Included section about `Verifying the Authenticity and Integrity of Scorecard Results` - Included a mermaid diagram. Signed-off-by: naveensrinivasan <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Included additional information based on code review comments. Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
Co-authored-by: olivekl <[email protected]> Signed-off-by: Naveen <[email protected]>
eadfaf1
to
093a993
Compare
|
||
Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates. | ||
|
||
Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: unchanging -> immutable
|
||
Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates. | ||
|
||
Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could just say "is a transparency logs" for signatures, and link to their repo or some Sigstore's official doc.
Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. | ||
|
||
You can learn more about Merkel trees at this link: https://en.wikipedia.org/wiki/Merkle_tree | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is a simplification you've made that people will point out is insecure. We don't just validate a signature: we validate the code of the workflow that produced the result. Signing something does not ensure that the code that ran is the right one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see inline comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@naveensrinivasan Do you still plan to work on this? I will be writing a closely related section to deal with #1150, and would like this to be merged
@@ -40,6 +40,8 @@ ________ | |||
- [Publishing Results](#publishing-results) | |||
- [Uploading Artifacts](#uploading-artifacts) | |||
- [Workflow Example](#workflow-example) | |||
[Verifying the Authenticity and Integrity of Scorecard Results](#verifying-the-authenticity-and-integrity-of-scorecard-results) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing a -
so the list breaks
Pull request was closed
Verifying the Authenticity and Integrity of Scorecard Results
Signed-off-by: naveensrinivasan [email protected]