Paper 2023/003

How to Use Sigstore without Sigstore

Yan-Cheng Chang
Abstract

Sigstore is a Linux Foundation project aiming to become the new standard for signing software artifacts. It consists of a free certificate authority called Fulcio, a tamper-resistant public log called Rekor, and an optional federated OIDC identity provider called Dex, where Rekor also acts as the timestamping service. Several command line interfaces (CLIs), written in different languages, are available to interact with it for signing software artifacts. Ironically, we will show in this paper the design of Sigstore eliminates the need of Sigstore, i.e., the key components mentioned above are inessential. Specifically, we will first show how to remove the dependency on Fulcio from existing CLIs while keeping the CLIs work. Next, we will show how to remove the dependency on Rekor from the CLIs. Last, we will explain why relying on Dex, an optional black box with too much power, should be avoided. As none of Fulcio, Rekor, and Dex is essential to making existing CLIs work, we conclude that they are unnecessary trusted third parties which the open source community should avoid employing. Instead, existing CLIs can be easily adapted to remove the dependency on them while providing the same functionality and user experience. The design of Sigstore is an example of solving a problem with a method which requires the solution as the input.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
SigstoreCode SigningDigital SignatureApplied CryptographySecurity
Contact author(s)
ycchang @ alumni harvard edu
History
2023-01-02: approved
2023-01-01: received
See all versions
Short URL
https://ia.cr/2023/003
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/003,
      author = {Yan-Cheng Chang},
      title = {How to Use Sigstore without Sigstore},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/003},
      year = {2023},
      url = {https://eprint.iacr.org/2023/003}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.