Sigstore, inkqubo yokuqinisekisa i-cryptographic sele izinzile

Darkcrizt

Imizuzu ye4

Isigstore

I-Sigstore inokucingwa njenge-Let Encrypt for code, ibonelela ngezatifikethi zokusayina ikhowudi yedijithali kunye nezixhobo zokuqinisekisa ngokuzenzekelayo.

IGoogle ityhiliwe ngeposi blog, isaziso ukwenziwa kweenguqulelo zokuqala ezizinzileyo ze amacandelo enza iprojekthi sigstore, ebhengezwe ifanelekile ekudaleni ukusasazwa komsebenzi.

Kwabo bangayazi iSigstore, kufuneka bazi ukuba le yiprojekthi unenjongo yokuphuhlisa nokubonelela ngezixhobo kunye neenkonzo zokuqinisekisa isoftware usebenzisa iisignesha zedijithali kunye nokugcina irejista yoluntu eqinisekisa ukunyaniseka kweenguqu (i-transparency registry).

Ndikunye neSigstore, abaphuhlisi banokusayina ngokwedijithali usetyenziso olunxulumene ne-artifacts ezifana neefayile zokukhulula, imifanekiso yesikhongozeli, imiboniso, kunye nezinto eziphunyeziweyo. Izinto ezisetyenziselwa utyikityo lubonakaliswe kwirekhodi yoluntu olunobungqina enokusetyenziselwa ukuqinisekiswa nophicotho.

Endaweni yezitshixo ezisisigxina, I-Sigstore isebenzisa izitshixo ze-ephemeral ezifutshane eziveliswa ngokusekelwe kwiimqinisekiso eziqinisekisiweyo ngababoneleli be-OpenID Connect (ngexesha lokuvelisa izitshixo eziyimfuneko ukwenza utyikityo lwedijithali, umphuhlisi wachongwa ngomboneleli we-OpenID ngekhonkco le-imeyile).

Ubunyani bezitshixo buqinisekiswa ngobhaliso loluntu olusembindini, ekuvumela ukuba uqiniseke ukuba umbhali wotyikityo nguye kanye abathi banguye, kwaye utyikityo lwenziwe ngumthathi-nxaxheba ofanayo owayenoxanduva lweenguqulelo zangaphambili.

Ukulungiswa kweSigstore ukuphunyezwa Kungenxa ye- ukuguqulwa kwezinto ezimbini eziphambili: Rekor 1.0 kunye Fulcio 1.0, ujongano lweenkqubo zalo zibhengezwe njengezinzile kwaye ukusukela ngoku zigcina ukuhambelana neenguqulelo zangaphambili. Amacandelo enkonzo abhalwe kwi-Go kwaye akhululwa phantsi kwelayisensi ye-Apache 2.0.

Icandelo I-Rekor iqulethe ukuphunyezwa kobhaliso ukugcina imetadata esayiniweyo ngokwedijithali ebonisa ulwazi malunga neeprojekthi. Ukuqinisekisa imfezeko kunye nokukhuselwa kurhwaphilizo lwedatha, iMerkle Tree isakhiwo isetyenziswa apho isebe ngalinye liqinisekisa onke amasebe angaphantsi kunye neenodi nge-hash edibeneyo (umthi). Ngokuba ne-hash yokugqibela, umsebenzisi unokuqinisekisa ukuchaneka kwayo yonke imbali yokusebenza, kunye nokuchaneka kweemeko ezidlulileyo zesiseko sedatha (ingcambu yokukhangela i-hash yesimo esitsha se-database ibalwa ngokuqwalasela imeko yangaphambili). I-API ye-RESTful yokujonga kunye nokongeza iirekhodi ezintsha zinikezelwa, kunye ne-interface yomgca womyalelo.

Icandelo fulcius (SigStore WebPKI) ibandakanya inkqubo yokudala abasemagunyeni bezatifiketi (ingcambu ye-CA) ekhupha izatifikethi zexesha elifutshane ezisekelwe kwi-imeyile eqinisekisiweyo nge-OpenID Connect. Ubomi besatifikethi yimizuzu engama-20, apho umthuthukisi kufuneka abe nexesha lokuvelisa isignesha yedijithali (ukuba isatifikethi siwela ezandleni zomhlaseli kwixesha elizayo, siya kuphelelwa yisikhathi). Kwakhona, iprojekthi iphuhlisa iCosign toolkit (Isingxobo sokuSayina), esilungiselelwe ukuvelisa iisiginitsha zemigqomo, kungqinwe iisiginitsha kunye nokubeka izikhongozeli ezisayiniweyo kwi-OCI (Inyathelo leSikhongozeli esiVulekileyo) kwiindawo ezithobelayo zokugcina.

Ukwaziswa kwe I-Sigstore ivumela ukwandisa ukhuseleko lwamajelo okusasazwa kwesoftware kunye nokukhusela kuhlaselo olujolise kwithala leencwadi kunye nokuxhomekeka endaweni (ikhonkco lobonelelo). Omnye wemiba ephambili yokhuseleko kwisoftware yomthombo ovulekileyo bubunzima bokuqinisekisa umthombo wenkqubo kunye nokuqinisekisa inkqubo yokwakha.

Ukusetyenziswa kwemisayino yedijithali yokuqinisekisa uguqulelo akukaxhaphakanga ngenxa yobunzima kulawulo olungundoqo, ukuhanjiswa kwezitshixo zoluntu, kunye nokurhoxiswa kwezitshixo ezithotyiweyo. Ukuze ukuqinisekiswa kube nengqiqo, kukwafuneka ukuba uququzelele inkqubo ethembekileyo nekhuselekileyo yokusasazwa kwezitshixo zoluntu kunye neetshekhi. Nokuba utyikityo lwedijithali, abasebenzisi abaninzi bayakuhoya ukuqinisekiswa kuba kuthatha ixesha ukufunda inkqubo yokuqinisekisa kunye nokuqonda ukuba leliphi iqhosha elithembekileyo.

Iprojekthi iphuhliswa phantsi kwenkxaso ye-Linux Foundation ye-Google engenzi nzuzo, i-Red Hat, i-Cisco, i-vmWare, i-GitHub, kunye ne-HP Enterprise ngokuthatha inxaxheba kwe-OpenSSF (iSiseko soKhuseleko loMthombo oVulekileyo) kunye neYunivesithi yasePurdue.

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha kwi eli khonkco lilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.