CloudNativeSecurityCon 2023 .pdf

1、Marina Moore and Zachary NewmanNot all thats Signed is Secure:Verify the Right Way with TUF and SigstoreThe problem Sigstore has more developers signing software So users are more secure,right?Signatures only help when verified correctly Antipattern:verify software was signed,but not who signed itSo

2、lution summary Enable flexible,smart policy enforcement Flexible:different policies in different settings Smart:existing,secure solutions(TUF+in-toto)Worked examples:Open source package repositories Internal container registries Everything in betweenSoftware supply chain securityWhy sign software?Pa

3、rt of the solution.You download software from the right place,but its not what the owner intended Compromised account Compromised build process Compromised package repositoryWhy sign software?Part of the solution.Not all attacks!Normal vulnerabilities Underhanded PRs Blackmailing authors If you know

4、 whos supposed to sign a package,signing helps.Big“if;”will revisit laterSigstore Easy signing for containers and more No key management:Sign with SSO Sign with machine identity Transparency:detect misbehaviorSigstore Fulcio(CA):issues short-lived certificates for OIDC credentials(“login with Facebo

5、ok”)Rekor(log):timestamps signatures,record metadata Cosign:stick signatures in OCI registriesVerification PoliciesContainer RegistryUserGET nginx:latestnginxsha256:.x _ Verified!Verification PoliciesContainer RegistryUserGET nginx:latestnginxsha256:.x _EVIL HACKER Verified!Verification PoliciesVeri

6、fication policies help us interpret signatures.What do I mean when I sign something?Did I look at every byte in the binary?We can attach specific meanings to signatures(claims)I claim Signed,Verification PoliciesSimple:universal signer.Signature=“this binary is good”Ownership:package P came from Ali