So You Want to Run Your Own Sigstore_ Recommendations for a Secure Setup.pdf

《So You Want to Run Your Own Sigstore_ Recommendations for a Secure Setup.pdf》由会员分享，可在线阅读，更多相关《So You Want to Run Your Own Sigstore_ Recommendations for a Secure Setup.pdf（33页珍藏版）》请在三个皮匠报告上搜索。

1、Hayden BlauzvernGoogle Open Source Security TeamSo You Want to Run Your Own Sigstore:Recommendations for a Secure SetupSigstore OverviewSigstore OverviewProject under the OpenSSF(Linux Foundation)Simplify code-signing for artifactsFree,publicly available transparency log and certificate authorityNo

2、key managementSigstore Overview-FulcioSigstore Overview-RekorSigstore OverviewWhy a Private Sigstore?Performance/availabilityCompliancePrivacyRecommendations for a Secure SetupSelf-Managed PKIArtifact Signing KeysDistributionStorageCompromiseArtifact Signing KeysSigstore defaults to ephemeral keysCa

3、n issue identity-based certificates for long-lived keys(blog post)What do you want for a verification policy?Private CAsExisting CAs(step-ca,GCP CA Service,AWS Private CA,etc)issuing certificates that conform to the Fulcio certificate profileConsider key management,access controls,and rotationPrivat

4、e FulcioCertificate Transparency for an immutable issuance logSame key management considerations for signing backendPrivate TransparencyWhats a Transparency Log?Based on Merkle TreesImmutable and append-onlyApplicationsCertificate TransparencyBinary TransparencyKey TransparencyTransparency Logs in S

5、igstoreFulcio writes issued certificates to a certificate transparency logRekor entries are appended to a transparency logDo I Need Transparency Logs?Do you have an existing system for audit logging?Will artifacts ever be released publicly?Do you want an immutable record of issuance and signing?Can

6、you use a database instead?You Must Monitor!You Must Monitor!OSS monitors:https:/ https:/ TimestampingTimestamping in SigstoreTimestamping in SigstoreTimestamping in SigstoreTimestamping in SigstoreRoots of TrustProblems with Key Management