📖 Verifying the Authenticity and Integrity of Scorecard Results #1058
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
naveensrinivasan
requested review from
azeemshaikh38,
laurentsimon and
olivekl
naveensrinivasan
force-pushed
the
naveen/feat/update-readme
branch
from
58bfa47
to
666d76b
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1058 +/- ##
=======================================
Coverage 62.94% 62.94%
=======================================
Files 4 4
Lines 251 251
=======================================
Hits 158 158
Misses 77 77
Partials 16 16 |
naveensrinivasan
force-pushed
the
naveen/feat/update-readme
branch
2 times, most recently
from
5a872a4
to
634e2b3
Compare
naveensrinivasan
force-pushed
the
naveen/feat/update-readme
branch
from
63b7e2b
to
0c06f2d
Compare
olivekl
approved these changes
Dec 27, 2022
Thanks @olivekl for making it better! Appreciate the detailed feedback and suggestion! |
- Included section about `Verifying the Authenticity and Integrity of Scorecard Results` - Included a mermaid diagram. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Included additional information based on code review comments. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan
force-pushed
the
naveen/feat/update-readme
branch
from
eadfaf1
to
093a993
Compare
laurentsimon
reviewed
Jan 6, 2023
|
|
||
| Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates. | ||
|
|
||
| Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. |
There was a problem hiding this comment.
nit: unchanging -> immutable
laurentsimon
reviewed
Jan 6, 2023
|
|
||
| Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates. | ||
|
|
||
| Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. |
There was a problem hiding this comment.
You could just say "is a transparency logs" for signatures, and link to their repo or some Sigstore's official doc.
laurentsimon
reviewed
Jan 6, 2023
| Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the Scorecard system. | ||
|
|
||
| You can learn more about Merkel trees at this link: https://en.wikipedia.org/wiki/Merkle_tree | ||
|
|
There was a problem hiding this comment.
there is a simplification you've made that people will point out is insecure. We don't just validate a signature: we validate the code of the workflow that produced the result. Signing something does not ensure that the code that ran is the right one.
There was a problem hiding this comment.
@naveensrinivasan Do you still plan to work on this? I will be writing a closely related section to deal with #1150, and would like this to be merged
| @@ -40,6 +40,8 @@ ________ | |||
| - [Publishing Results](#publishing-results) | |||
| - [Uploading Artifacts](#uploading-artifacts) | |||
| - [Workflow Example](#workflow-example) | |||
| [Verifying the Authenticity and Integrity of Scorecard Results](#verifying-the-authenticity-and-integrity-of-scorecard-results) | |||
There was a problem hiding this comment.
missing a - so the list breaks
auto-merge was automatically disabled
November 16, 2023 18:23
Pull request was closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Verifying the Authenticity and Integrity of Scorecard ResultsSigned-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com