logo
allArticlesConferencesPresentations

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore

Conference:  Cloud Native SecurityCon North America 2023

Authors:   Zachary Newman, Marina Moore

Summary

The presentation discusses the importance of verifying signatures correctly and introduces the use of Sigstore, The Update Framework (TUF), and in-toto to improve security in open source package repositories and internal container registries.
  • Signatures are only helpful when verified correctly
  • Flexible and smart policy enforcement is necessary for different settings
  • Using existing secure solutions can protect against various attacks
  • Examples of using TUF and Sigstore in open source package repositories and internal container registries are provided
The presentation highlights the anti-pattern of verifying that something is signed but not checking who signed it, which can lead to security issues. It emphasizes the need for proper verification and policy enforcement to ensure security.

Abstract

It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from [email protected] the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.
Materials:
Tags:

Post a comment

Related work

TUF-En Up Your Signatures

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Justin Cappos, Marina Moore
2022-10-27

sigstore: How We Started, Where We Are, Where We are Headed

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Bob Callaway, Dan Lorenc
2021-10-13

HackPac: Hacking Pointer Authentication in iOS User Space

Conference:  Defcon 27
Authors:
2019-08-01

Kubernetes Supply Chain Security: The Software Factory

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Andrew Martin
2021-10-13

A SSLippery Slope: Unraveling the Hidden Dangers of Certificate Misuse

Conference:  Defcon 31
Authors: Bill Demirkapi Microsoft Security Response Center
2023-08-01

Maintaining TUF, a Talk

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Lukas Pühringer, Joshua Lock
2023-04-21