I-Sigstore, isistimu yokuqinisekisa i-cryptographic isivele izinzile

Darkcrizt

Imizuzu ye-4

I-Sigstore

I-Sigstore ingacatshangwa njenge-Let's Bethela ukuze uthole ikhodi, ihlinzeka ngezitifiketi zokusayina ikhodi yedijithali namathuluzi okuqinisekisa ngokuzenzakalelayo.

I-Google ivuliwe ngeposi lebhulogi, isimemezelo se ukwakheka kwezinguqulo ezizinzile zokuqala ze izingxenye ezakha iphrojekthi sigstore, okuthiwa ilungele ukudala ukuthunyelwa kokusebenza.

Kulabo abangazi ngeSigstore, kufanele bazi ukuthi lena iphrojekthi unenjongo yokuthuthukisa nokuhlinzeka ngamathuluzi nezinsizakalo zokuqinisekisa isofthiwe usebenzisa amasiginesha edijithali nokugcina ukubhaliswa komphakathi okuqinisekisa ubuqiniso bezinguquko (ukubhaliswa obala).

Nge-Sigstore, onjiniyela bangasayina ngokwedijithali ama-artifact ahlobene nohlelo lokusebenza njengamafayela okukhipha, izithombe zesiqukathi, ama-manifest, kanye nokusebenzisekayo. Izinto ezisetshenziselwa isignesha ibonakala kurekhodi lomphakathi elinobufakazi bokuphazamisa engasetshenziswa ukuze kuqinisekiswe futhi kucwaningwe.

Esikhundleni sezikhiye ezihlala njalo, I-Sigstore isebenzisa okhiye besikhashana be-ephemeral okukhiqizwa ngokusekelwe kumininingwane eqinisekiswe abahlinzeki be-OpenID Connect (ngesikhathi sokukhiqiza okhiye abadingekayo ukuze kudalwe isiginesha yedijithali, unjiniyela ukhonjwa ngomhlinzeki we-OpenID ngesixhumanisi se-imeyili).

Ubuqiniso bokhiye buqinisekiswa ukubhaliswa komphakathi okumaphakathi, okukuvumela ukuthi wenze isiqiniseko sokuthi umbhali wesiginesha uyilo kanye abathi bayikho, nokuthi isiginesha yakhiwe ngumhlanganyeli ofanayo owayenomthwalo wemfanelo wezinguqulo zangaphambili.

Ukulungiswa kweSigstore ukuze kusetshenziswe kungenxa ye- ukuguqulwa kwezingxenye ezimbili ezibalulekile: I-Rekor 1.0 ne-Fulcio 1.0, okusebenzelana kwayo okumenyezelwa njengezinzile futhi kusukela manje kuya kugcina ukuhambisana nezinguqulo zangaphambilini. Izingxenye zesevisi zibhalwe ku-Go futhi zikhishwa ngaphansi kwelayisensi ye-Apache 2.0.

Ingxenye I-Rekor iqukethe ukufakwa kokubhalisa ukuze kugcinwe imethadatha esayiniwe ngedijithali ezibonisa ulwazi mayelana namaphrojekthi. Ukuqinisekisa ubuqotho nokuvikelwa ekonakaleni kwedatha, kusetshenziswa isakhiwo se-Merkle Tree lapho igatsha ngalinye liqinisekisa wonke amagatsha namanodi angaphansi nge-hashi ehlangene (isihlahla). Ngokuba ne-hashi yokugcina, umsebenzisi angaqinisekisa ukufaneleka kwawo wonke umlando wokusebenza, kanye nokunemba kwezimo zesikhathi esidlule zesizindalwazi (i-hashi yokuhlola impande yesimo esisha sesizindalwazi ibalwa ngokucabangela isimo esidlule). I-RESTful API yokuhlola nokwengeza amarekhodi amasha inikeziwe, kanye nesixhumi esibonakalayo somugqa womyalo.

Ingxenye i-fulcius (SigStore WebPKI) kuhlanganisa uhlelo lokudala iziphathimandla zokunikeza izitifiketi (root CA) ekhipha izitifiketi zesikhashana esisuselwe ku-imeyili eqinisekisiwe nge-OpenID Connect. Ukuphila kwesitifiketi imizuzu engu-20, lapho unjiniyela kufanele abe nesikhathi sokwenza isiginesha yedijithali (uma isitifiketi siwela ezandleni zomhlaseli ngokuzayo, sizobe sesiphelelwe yisikhathi kakade). Futhi, iphrojekthi ithuthukisa ikhithi yamathuluzi ye-Cosign (Ukusayinwa Kwesitsha), okuklanyelwe ukukhiqiza amasiginesha eziqukathi, ukuqinisekisa amasiginesha nokubeka iziqukathi ezisayiniwe kumakhosombe athobelayo we-OCI (Open Container Initiative).

Ukwethulwa kwe- I-Sigstore ivumela ukukhulisa ukuphepha kweziteshi zokusabalalisa isofthiwe futhi uvikele ekuhlaselweni okuqondiswe kumtapo wolwazi kanye nokushintshaniswa kwabantu abancikile (uchungechunge lwempahla). Enye yezinkinga eziyinhloko zokuphepha kusofthiwe yomthombo ovulekile ubunzima bokuqinisekisa umthombo wohlelo nokuqinisekisa inqubo yokwakha.

Ukusetshenziswa kwamasiginesha edijithali ukuze kuqinisekiswe inguqulo akukakasabalali ngenxa yobunzima bokuphatha okubalulekile, ukusatshalaliswa kokhiye basesidlangalaleni, nokuhoxiswa kokhiye ababekekele. Ukuze ukuqinisekiswa kube nengqondo, kuyadingeka futhi ukuhlela inqubo ethembekile nevikelekile yokusabalalisa okhiye basesidlangalaleni namasheke. Ngisho nesiginesha yedijithali, abasebenzisi abaningi baziba ukuqinisekiswa ngoba kuthatha isikhathi ukufunda inqubo yokuqinisekisa futhi baqonde ukuthi yimuphi ukhiye othenjwayo.

Le phrojekthi ithuthukiswa ngaphansi kwenhlangano engenzi nzuzo ye-Linux Foundation ye-Google, i-Red Hat, i-Cisco, i-vmWare, i-GitHub, ne-HP Enterprise ngokubamba iqhaza kwe-OpenSSF (Open Source Security Foundation) kanye ne-Purdue University.

Ekugcineni, uma unentshisekelo yokwazi okwengeziwe ngakho, ungaxhumana nemininingwane ku- isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.