Nhau yakaburitswa kuti paGitHub chikumbiro chaiswa kuti hurukuro iite sevhisi Sigstore kuona mapakeji nemasiginecha edhijitari uye chengetedza rekodhi yeruzhinji kuratidza chokwadi kana uchigovera zvinoburitswa.
Pamusoro pechikumbiro zvakataurwa kuti kushandiswa kweSigstore ichabvumira kuita imwe nhanho yekudzivirira kurwisa kurwiswa kwakanangwa kutsiva software zvikamu uye zvinoenderana (supply chain).
Kuchengetedza iyo software yekugovera cheni nderimwe rematambudziko makuru ekuchengetedza akatarisana neindasitiri yedu izvozvi. Chikumbiro ichi inhanho yakakosha inotevera, asi kunyatsogadzirisa dambudziko iri kunoda kuzvipira uye kudyara kubva munharaunda yese…
Shanduko idzi dzinobatsira kuchengetedza yakavhurika sosi vatengi kubva kune software yekugovera ketani kurwisa; nemamwe mazwi, kana vashandisi vane hutsinye vakaedza kuparadzira malware nekutyora account yemuchengeti uye nekuwedzera software yakaipa kune yakavhurika sosi inotsamira inoshandiswa nevazhinji vanogadzira.
Semuenzaniso, shanduko yakaitwa inochengetedza masosi epurojekiti kana iyo account yekuvandudza yeimwe yeNPM inotsamira ikakanganisika uye anorwisa anogadzira pasuru yekuvandudza ine yakaipa kodhi.
Zvakakodzera kuti titaure kuti Sigstore haingori imwe kodhi yekusaina chishandiso, seyakajairika nzira yekubvisa kudiwa kwekugadzirisa makiyi ekusaina nekupa makiyi enguva pfupi anoenderana neOpenID Connect (OIDC) zvitupa, panguva imwe chete inorekodha zviito. mune isingashanduke ledger inonzi rekor, mukuwedzera kune iyo Sigstore ine yayo yechitupa mvumo inonzi Fulcio.
Nekuda kwedanho idzva redziviriro, vagadziri vanozokwanisa kubatanidza iyo yakagadzirwa pasuru neiyo source code inoshandiswa uye nharaunda yekuvaka, ichipa mushandisi mukana wekuona kuti zviri mukati mepakeji zvinoenderana nezviri mukati meiyo huru purojekiti repository.
Kushandiswa kweSigstore inorerutsa zvakanyanya makiyi manejimendi maitiro uye inobvisa kuoma kwakabatana nekunyoresa, kubviswa, uye cryptographic kiyi manejimendi. Sigstore inozvisimudzira seRega Encrypt yekodhi, ichipa zvitupa zvedhijitari kusaina kodhi uye maturusi ekugadzirisa otomatiki.
Tiri kuvhura Chikumbiro chitsva cheMaonero (RFC) nhasi, chinotarisa kusunga pasuru kune kwainochengeterwa repository uye kuvaka nharaunda. Kana vagadziri vepakeji vakasarudza iyi sisitimu, vatengi vemapakeji avo vanogona kuve nekuvimba kwakawanda kuti zviri mukati mepakeji zvinoenderana nezviri mukati meiyo yakabatana repository.
Panzvimbo pekiyi dzechigarire, Sigstore inoshandisa yenguva pfupi-ephemeral makiyi ayo anogadzirwa zvichienderana nemvumo. Izvo zvinoshandiswa pakusaina zvinoratidzwa mune rekodhi-yakadzivirirwa rekodhi rekodhi, zvichikutendera iwe kuti uve nechokwadi chekuti munyori weiyo siginicha ndiye chaiye wavanoti ivo, uye siginicha yakaumbwa nemumwechete mubatanidzwa aive nemhosva.
Iyo purojekiti yakaona kutorwa kwekutanga nemamwe mapakeji maneja ecosystems. NeRFC yanhasi, isu tinokurudzira kuwedzera rutsigiro rwekupedzisira-kusvika-kumagumo kusaina kwenpm mapakeji uchishandisa Sigstore. Iyi nzira inosanganisira kugadzirwa kwezvitupa nezve kupi, rini uye sei pasuru yakagadzirwa, kuitira kuti igozosimbiswa gare gare.
Kuchengetedza kutendeka uye dziviriro kubva kuhuori hwedata, a Merkle Tree tree structure inoshandiswa umo bazi rega rega rinotarisa ese aripasi matavi nemanodhi kuburikidza nejoint hash (muti). Nekuva nehashi inoteedzera, mushandisi anogona kuona kurongeka kwenhoroondo yese yekushanda, pamwe nekurongeka kwenzvimbo dzakapfuura dzedatabase (mudzi wecheki hashi weiyo dhatabhesi itsva inoverengerwa tichitarisa mamiriro apfuura).
Chekupedzisira, zvakakodzera kutaura kuti Sigstore inogadzirwa pamwe chete neLinux Foundation, Google, Red Hat, Purdue University, uye Chainguard.
Kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza iwo maficha mukati chinotevera chinongedzo.