From 0a32cd0617e187752d6974be22a787be786f52ba Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Mon, 28 Aug 2023 13:05:26 -0700 Subject: [PATCH 01/18] Update overview.md trying to clean up issue with dco and also squash all changes into one commit. Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 70 ++++++++++++++++++++++++------------ 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 124293b6..e0be4102 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -1,7 +1,7 @@ --- type: docs -category: About sigstore -description: Documentation for sigstore +category: About Sigstore +description: Documentation for Sigstore home: true menuTitle: Overview title: Sigstore @@ -10,45 +10,71 @@ weight: 1 ![Sigstore](sigstore-logo_horizontal-color.svg) -**Sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.** +**Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there's no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.** -It’s free to use for all developers and software providers, with Sigstore’s code and operational tooling being 100% open source, and everything maintained and developed by the Sigstore community. +The project is backed by the Open Source Security Foundation (OpenSSF) under the Linux Foundation, with contributions from Google, Red Hat, Chainguard, GitHub and Purdue University. It is 100% open source and free to use for all developers and software providers. The Sigstore community develops and maintains tools to simplify code signing and verification, and also operates a public-good, non-profit service to improve the open source software supply chain. -## How to use Sigstore +## Why cryptographic signing? + +In a landscape of growing software supply chain vulnerability, unsigned software is at risk for several attack vectors, such as: + +- **Typosquatting** +- **Packages with similar names** +- **Compromised site where package is hosted** +- **Tampering after being published** + +Digital signatures are a way to verify the authenticity of a software artifact. Software consumers can trace software back to the source to know who created the artifact and that it has not been altered or tampered with after it was signed. + +## Why Sigstore? + +Traditional artifact signing relies on exchanging cryptographic keypairs for signature verification. The software creator keeps one key secret (the private “signing” key) and publishes the other (the public “verification” key). When a software consumer wants to verify an artifact’s signature, the verification keys are exchanged to prove that the holder of the private key created the signature. + +This traditional approach has several weaknesses: -* I want to [Quick Start](/signing/quickstart/) -* I want to [sign a blob](signing/signing_with_blobs/) -* I want to [sign a container](signing/signing_with_containers/) -* I want to [Sign Git commits with Gitsign](/signing/gitsign/) -* I want to [verify entries with Cosign](/verifying/verify/) +- **Identity**: How do you know the person signing the artifact is who they say they are? +- **Key management**: How do you keep the private key secure so it can’t be lost or stolen? How do you make the public key easily accessible for users, but also protect it from tampering by a malicious attacker? +- **Key revocation**: If the keypair is compromised, how do you distribute new keys in a way that convinces users of your legitimacy and that you’re not an attacker? + +Sigstore addresses these problems by helping users move away from a key-based signing approach to an identity-based one. When using Sigstore’s full capabilities, your artifact is: + +- **Signed**: By using a Sigstore client (Cosign). +- **Verified**: By checking your identity with our certificate authority (Fulcio). +- **Witnessed**: By recording the signing information in a permanent transparency log (Rekor). + +The signer ideally forgoes using long-lived keypairs. With “keyless” or “ephemeral key” signing, users verify the artifact using the transparency log for signature verification rather than keys. Sigstore improves on traditional methods of signing to be more convenient and secure: + +- **Convenience**: Users can take advantage of convenient tooling, easy container signing, and can even bypass the difficult problem of key management and rotation. +- **Security**: With Sigstore, the artifact is not just signed; it’s signed, verified, and witnessed. ## How Sigstore works -A Sigstore client, such as Cosign, requests a certificate from Fulcio, a code-signing certificate authority. A verifiable OpenID Connect identity token, which contains a user's email address or service account, is provided in the request. Fulcio verifies this token and issues a short-lived certificate bound to the provided identity. +A Sigstore client, such as Cosign, requests a certificate from our a code-signing certificate authority (called Fulcio). A verifiable OpenID Connect identity token, which contains a user's email address or service account, is provided in the request. The certificate authority verifies this token and issues a short-lived certificate bound to the provided identity. You don’t have to manage signing keys, and Sigstore services never obtain your private key. The public key that a Sigstore client creates gets bound to the issued certificate, and the private key is discarded after a single signing. -After the client signs the artifact, the artifact's digest, signature and certificate are persisted in Rekor, an immutable, append-only transparency ledger, so that signing events can be publicly audited. Identity owners can monitor the log to verify that their identity is being properly used. This also timestamps the signing event, so that the short-lived certificate can be later verified. - -For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. +After the client signs the artifact, the artifact's digest, signature and certificate are persisted in a transparency log: an immutable, append-only ledger known as Rekor. With this log, signing events can be publicly audited. Identity owners can monitor the log to verify that their identity is being properly used, and someone who downloads and artifact can confirm that the certificate was valid at the time of signing. -## Software supply chain security +For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -Software supply chains are exposed to multiple risks. Users are susceptible to various targeted attacks, along with account and cryptographic key compromise. Keys in particular are a challenge for software maintainers to manage. Projects often have to maintain a list of current keys in use, and manage the keys of individuals who no longer contribute to a project. Projects all too often store public keys and digests on git repo readme files or websites, two forms of storage susceptible to tampering and less than ideal means of securely communicating trust. +For more information on the modules that make up Sigstore, see [Toolling](/docs/about/tooling/) -The tool sets we’ve historically relied on were not built for the present circumstance of remote teams either. This can be seen by the need to create a web of trust, with teams having to meet in person and sign each others’ keys. The current tooling (outside of controlled environments) all too often feel inappropriate to even technical users. +## How to use Sigstore -## About the project +To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: -Sigstore is a Linux Foundation project backed by Google, Red Hat and Purdue University. We provide a public good, non-profit service to improve the open source software supply chain by easing the adoption of cryptographic software signing. +* To get a quick view of how to use the program see [Quick Start](/docs/signing/quickstart/) +* To learn how to work with blobs, see [sign a blob](docs/signing/signing_with_blobs/) +* To learn how to work with containers, see [sign a container](docs/signing/signing_with_containers/) +* To use Gitsign, see [Sign Git commits with Gitsign](/docs/signing/gitsign/) +* To learn about verification, see [verify entries with Cosign](/docs/verifying/verify/) ## Contributing -Up to date documentation, best practices and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up easily with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from ceremonies to security practices. +Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up easily with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. -Ready to jump in? Check the [contributing guidelines](/contributing/). +Ready to jump in? Check the [contributing guidelines](/docs/contributing/). ## Learn more - [Sigstore YouTube Channel](https://www.youtube.com/@projectsigstore) -- [Sigstore Blog](https://blog.sigstore.dev/) +- [Sigstore Blog](https://blog.sigstore.dev/) From 5792e9df7efce3ed4a816c2477b21b003e043f39 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Mon, 28 Aug 2023 13:18:42 -0700 Subject: [PATCH 02/18] Update overview.md Remove "Docs" from links. Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index e0be4102..2671bebc 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -56,23 +56,23 @@ After the client signs the artifact, the artifact's digest, signature and certif For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -For more information on the modules that make up Sigstore, see [Toolling](/docs/about/tooling/) +For more information on the modules that make up Sigstore, see [Toolling](/about/tooling/) ## How to use Sigstore -To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: +To use Sigstore, you must first install the client. See the [Installation](/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: -* To get a quick view of how to use the program see [Quick Start](/docs/signing/quickstart/) -* To learn how to work with blobs, see [sign a blob](docs/signing/signing_with_blobs/) -* To learn how to work with containers, see [sign a container](docs/signing/signing_with_containers/) -* To use Gitsign, see [Sign Git commits with Gitsign](/docs/signing/gitsign/) -* To learn about verification, see [verify entries with Cosign](/docs/verifying/verify/) +* To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) +* To learn how to work with blobs, see [sign a blob](signing/signing_with_blobs/) +* To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) +* To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) +* To learn about verification, see [verify entries with Cosign](/verifying/verify/) ## Contributing Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up easily with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. -Ready to jump in? Check the [contributing guidelines](/docs/contributing/). +Ready to jump in? Check the [contributing guidelines](/contributing/). ## Learn more From 6044804e5d4378182812b47a200fc06605978eb7 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:01:52 -0700 Subject: [PATCH 03/18] Update overview.md Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 2671bebc..d2c9f330 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -10,7 +10,7 @@ weight: 1 ![Sigstore](sigstore-logo_horizontal-color.svg) -**Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there's no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.** +**Sigstore is an open source project for improving software supply chain security. The Sigstore services and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there's no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.** The project is backed by the Open Source Security Foundation (OpenSSF) under the Linux Foundation, with contributions from Google, Red Hat, Chainguard, GitHub and Purdue University. It is 100% open source and free to use for all developers and software providers. The Sigstore community develops and maintains tools to simplify code signing and verification, and also operates a public-good, non-profit service to improve the open source software supply chain. @@ -18,12 +18,11 @@ The project is backed by the Open Source Security Foundation (OpenSSF) under the In a landscape of growing software supply chain vulnerability, unsigned software is at risk for several attack vectors, such as: -- **Typosquatting** -- **Packages with similar names** +- **Typosquatting packages with similar names** - **Compromised site where package is hosted** - **Tampering after being published** -Digital signatures are a way to verify the authenticity of a software artifact. Software consumers can trace software back to the source to know who created the artifact and that it has not been altered or tampered with after it was signed. +Digital signatures are a way to verify the authenticity and integrityof a software artifact. Software consumers can trace software back to the source to know who created the artifact and that it has not been altered or tampered with after it was signed. ## Why Sigstore? From d07da14bb237c5396c92d9f6102d6f36c069fcc2 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:02:58 -0700 Subject: [PATCH 04/18] Update content/en/about/overview.md Co-authored-by: Hayden B Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index d2c9f330..dcf438a2 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -26,7 +26,7 @@ Digital signatures are a way to verify the authenticity and integrityof a softwa ## Why Sigstore? -Traditional artifact signing relies on exchanging cryptographic keypairs for signature verification. The software creator keeps one key secret (the private “signing” key) and publishes the other (the public “verification” key). When a software consumer wants to verify an artifact’s signature, the verification keys are exchanged to prove that the holder of the private key created the signature. +Traditional artifact signing relies on exchanging cryptographic keypairs for signature verification. The software creator keeps one key secret (the private “signing” key) and publishes the other (the public “verification” key). When a software consumer wants to verify an artifact’s signature, the verification key is exchanged to prove that the holder of the private key created the signature. This traditional approach has several weaknesses: From 2d62024f4addc265a609000b4d650f929c250e6d Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:09:38 -0700 Subject: [PATCH 05/18] Update overview.md Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index dcf438a2..c9311814 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -37,7 +37,7 @@ This traditional approach has several weaknesses: Sigstore addresses these problems by helping users move away from a key-based signing approach to an identity-based one. When using Sigstore’s full capabilities, your artifact is: - **Signed**: By using a Sigstore client (Cosign). -- **Verified**: By checking your identity with our certificate authority (Fulcio). +- **Associated**: The identity is associated with an ephemeral key. - **Witnessed**: By recording the signing information in a permanent transparency log (Rekor). The signer ideally forgoes using long-lived keypairs. With “keyless” or “ephemeral key” signing, users verify the artifact using the transparency log for signature verification rather than keys. Sigstore improves on traditional methods of signing to be more convenient and secure: From 8e8dab20eff7c6311e9a276189c777c652ad7e36 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:30:58 -0700 Subject: [PATCH 06/18] Update overview.md fix lint errors. Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index c9311814..4329aac8 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -61,11 +61,11 @@ For more information on the modules that make up Sigstore, see [Toolling](/about To use Sigstore, you must first install the client. See the [Installation](/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: -* To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) -* To learn how to work with blobs, see [sign a blob](signing/signing_with_blobs/) -* To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) -* To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) -* To learn about verification, see [verify entries with Cosign](/verifying/verify/) +- To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) +- To learn how to work with blobs, see [sign a blob](signing/signing_with_blobs/) +- To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) +- To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) +- To learn about verification, see [verify entries with Cosign](/verifying/verify/) ## Contributing From c2832078035a16f318fcaf5df45160e6652262c9 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:36:45 -0700 Subject: [PATCH 07/18] Update overview.md Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 4329aac8..c8ed6f44 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -65,7 +65,7 @@ To use Sigstore, you must first install the client. See the [Installation](/syst - To learn how to work with blobs, see [sign a blob](signing/signing_with_blobs/) - To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) - To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) -- To learn about verification, see [verify entries with Cosign](/verifying/verify/) +- To learn about verification, see [verify entries with Cosign](/verifying/verify/) ## Contributing From b4d87a05bad91ec8b8abfedb2acccd1ebeac0001 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:48:45 -0700 Subject: [PATCH 08/18] Update overview.md Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index c8ed6f44..4329aac8 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -65,7 +65,7 @@ To use Sigstore, you must first install the client. See the [Installation](/syst - To learn how to work with blobs, see [sign a blob](signing/signing_with_blobs/) - To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) - To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) -- To learn about verification, see [verify entries with Cosign](/verifying/verify/) +- To learn about verification, see [verify entries with Cosign](/verifying/verify/) ## Contributing From 5c781d7fa5b9d1bec63411084ab5d5eb5fc71c96 Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Wed, 30 Aug 2023 15:22:24 -0700 Subject: [PATCH 09/18] Update overview.md trying to fix merge issues. Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 4329aac8..bcb01d02 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -55,7 +55,7 @@ After the client signs the artifact, the artifact's digest, signature and certif For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -For more information on the modules that make up Sigstore, see [Toolling](/about/tooling/) +For more information on the modules that make up Sigstore, see [Toolling](/about/tooling/). ## How to use Sigstore From 8a96f33db19b7559103ac82bc6ab0ed510e5de2a Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:11:34 -0700 Subject: [PATCH 10/18] Update overview.md fix lint errors Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index e0be4102..56c78425 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -62,11 +62,11 @@ For more information on the modules that make up Sigstore, see [Toolling](/docs/ To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: -* To get a quick view of how to use the program see [Quick Start](/docs/signing/quickstart/) -* To learn how to work with blobs, see [sign a blob](docs/signing/signing_with_blobs/) -* To learn how to work with containers, see [sign a container](docs/signing/signing_with_containers/) -* To use Gitsign, see [Sign Git commits with Gitsign](/docs/signing/gitsign/) -* To learn about verification, see [verify entries with Cosign](/docs/verifying/verify/) +- To get a quick view of how to use the program see [Quick Start](/docs/signing/quickstart/) +- To learn how to work with blobs, see [sign a blob](docs/signing/signing_with_blobs/) +- To learn how to work with containers, see [sign a container](docs/signing/signing_with_containers/) +- To use Gitsign, see [Sign Git commits with Gitsign](/docs/signing/gitsign/) +- To learn about verification, see [verify entries with Cosign](/docs/verifying/verify/) ## Contributing From a74c083977af45839898c9723857d719e79ca06e Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:21:35 -0700 Subject: [PATCH 11/18] Update overview.md remove docs from links Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 56c78425..bee9528a 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -62,17 +62,17 @@ For more information on the modules that make up Sigstore, see [Toolling](/docs/ To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: -- To get a quick view of how to use the program see [Quick Start](/docs/signing/quickstart/) -- To learn how to work with blobs, see [sign a blob](docs/signing/signing_with_blobs/) -- To learn how to work with containers, see [sign a container](docs/signing/signing_with_containers/) -- To use Gitsign, see [Sign Git commits with Gitsign](/docs/signing/gitsign/) -- To learn about verification, see [verify entries with Cosign](/docs/verifying/verify/) +- To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) +- To learn how to work with blobs, see [sign a blob](/signing/signing_with_blobs/) +- To learn how to work with containers, see [sign a container](/signing/signing_with_containers/) +- To use Gitsign, see [Sign Git commits with Gitsign](/signing/gitsign/) +- To learn about verification, see [verify entries with Cosign](/verifying/verify/) ## Contributing Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up easily with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. -Ready to jump in? Check the [contributing guidelines](/docs/contributing/). +Ready to jump in? Check the [contributing guidelines](/contributing/). ## Learn more From ba7d4c91454d9353f7edf6f8b844ec29219d356c Mon Sep 17 00:00:00 2001 From: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:31:02 -0700 Subject: [PATCH 12/18] Update overview.md Signed-off-by: jonvnadelberg <121979961+jonvnadelberg@users.noreply.github.com> --- content/en/about/overview.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index bee9528a..2091b48b 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -18,8 +18,7 @@ The project is backed by the Open Source Security Foundation (OpenSSF) under the In a landscape of growing software supply chain vulnerability, unsigned software is at risk for several attack vectors, such as: -- **Typosquatting** -- **Packages with similar names** +- **Typosquatting packages with similar names** - **Compromised site where package is hosted** - **Tampering after being published** @@ -38,7 +37,7 @@ This traditional approach has several weaknesses: Sigstore addresses these problems by helping users move away from a key-based signing approach to an identity-based one. When using Sigstore’s full capabilities, your artifact is: - **Signed**: By using a Sigstore client (Cosign). -- **Verified**: By checking your identity with our certificate authority (Fulcio). +- **Associated**: With an identity through our certificate authority (Fulcio). - **Witnessed**: By recording the signing information in a permanent transparency log (Rekor). The signer ideally forgoes using long-lived keypairs. With “keyless” or “ephemeral key” signing, users verify the artifact using the transparency log for signature verification rather than keys. Sigstore improves on traditional methods of signing to be more convenient and secure: @@ -56,11 +55,11 @@ After the client signs the artifact, the artifact's digest, signature and certif For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -For more information on the modules that make up Sigstore, see [Toolling](/docs/about/tooling/) +For more information on the modules that make up Sigstore, see [Toolling](/about/tooling/). ## How to use Sigstore -To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: +To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: - To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) - To learn how to work with blobs, see [sign a blob](/signing/signing_with_blobs/) From 674eced5a05186fa632b017c71cb2a53032ec5e2 Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:21:47 -0400 Subject: [PATCH 13/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 2091b48b..3b309402 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -47,7 +47,7 @@ The signer ideally forgoes using long-lived keypairs. With “keyless” or “e ## How Sigstore works -A Sigstore client, such as Cosign, requests a certificate from our a code-signing certificate authority (called Fulcio). A verifiable OpenID Connect identity token, which contains a user's email address or service account, is provided in the request. The certificate authority verifies this token and issues a short-lived certificate bound to the provided identity. +A Sigstore client, such as Cosign, requests a certificate from our code-signing certificate authority (Fulcio). A verifiable OpenID Connect identity token, which contains a user's email address or service account, is provided in the request. The certificate authority verifies this token and issues a short-lived certificate bound to the provided identity. You don’t have to manage signing keys, and Sigstore services never obtain your private key. The public key that a Sigstore client creates gets bound to the issued certificate, and the private key is discarded after a single signing. From 201251025ee7591431efc6cb3c9040753dc3db1d Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:21:54 -0400 Subject: [PATCH 14/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 3b309402..1ef54678 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -55,7 +55,7 @@ After the client signs the artifact, the artifact's digest, signature and certif For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -For more information on the modules that make up Sigstore, see [Toolling](/about/tooling/). +For more information on the modules that make up Sigstore, review [Toolling](/about/tooling/). ## How to use Sigstore From 1038da2a48edaa45a1da6d6504be58ae3fb7d89c Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:22:01 -0400 Subject: [PATCH 15/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 1ef54678..8c883537 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -59,7 +59,7 @@ For more information on the modules that make up Sigstore, review [Toolling](/ab ## How to use Sigstore -To use Sigstore, you must first install the client. See the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: +To use Sigstore, you must first install the client. Review the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: - To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) - To learn how to work with blobs, see [sign a blob](/signing/signing_with_blobs/) From ebba194abea980777f9cb7a30b1d2b2e241a0478 Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:23:03 -0400 Subject: [PATCH 16/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 8c883537..684c3504 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -69,7 +69,7 @@ To use Sigstore, you must first install the client. Review the [Installation](do ## Contributing -Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up easily with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. +Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. Ready to jump in? Check the [contributing guidelines](/contributing/). From 49fb452a4992fd69a2edb8b9a9e46befe25034a5 Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:23:09 -0400 Subject: [PATCH 17/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 684c3504..98bd1006 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -71,7 +71,7 @@ To use Sigstore, you must first install the client. Review the [Installation](do Up to date documentation, best practices, and detailed scenarios for Sigstore live here. These pages are maintained by the community and intended to help anyone get set up with any of the technologies, to find what you’re looking for fast. It’s also where we keep all the relevant pages for the Sigstore trust root, from signing ceremonies to security practices. -Ready to jump in? Check the [contributing guidelines](/contributing/). +Ready to jump in? Check the [contributing guidelines](/about/contributing/). ## Learn more From dd587498a1bd5fd91657d321625e05643df7f889 Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Tue, 5 Sep 2023 13:23:31 -0400 Subject: [PATCH 18/18] Update content/en/about/overview.md Signed-off-by: ltagliaferri --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 98bd1006..43f83cbc 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -59,7 +59,7 @@ For more information on the modules that make up Sigstore, review [Toolling](/ab ## How to use Sigstore -To use Sigstore, you must first install the client. Review the [Installation](docs/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: +To use Sigstore, you must first install the client. Review the [Installation](/system_config/installation/) instructions. You can then pick the subject matter you wish to learn about from the menu items on the left. For a quick introduction, you can try using one of the links below: - To get a quick view of how to use the program see [Quick Start](/signing/quickstart/) - To learn how to work with blobs, see [sign a blob](/signing/signing_with_blobs/)