logo

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore

Authors:   Zachary Newman, Marina Moore


Summary

The presentation discusses the importance of verifying signatures correctly and introduces the use of Sigstore, The Update Framework (TUF), and in-toto to improve security in open source package repositories and internal container registries.
  • Signatures are only helpful when verified correctly
  • Flexible and smart policy enforcement is necessary for different settings
  • Using existing secure solutions can protect against various attacks
  • Examples of using TUF and Sigstore in open source package repositories and internal container registries are provided
The presentation highlights the anti-pattern of verifying that something is signed but not checking who signed it, which can lead to security issues. It emphasizes the need for proper verification and policy enforcement to ensure security.

Abstract

It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from [email protected] the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.

Materials:

Tags:

Post a comment

Related work

Authors: Justin Cappos, Marina Moore
2022-10-27




Conference:  Defcon 31
Authors: Bill Demirkapi Microsoft Security Response Center
2023-08-01

Authors: Lukas Pühringer, Joshua Lock
2023-04-21