Kwaphuma izindaba ukuthi ku-GitHub isiphakamiso sibekwe ukuze kuxoxwe ngazo ukuze sisetshenziswe isevisi Sigstore ukuze uqinisekise amaphakheji ngamasiginesha edijithali futhi ugcine irekhodi lomphakathi ukuze uqinisekise ubuqiniso lapho usabalalisa ukukhishwa.
Mayelana nesiphakamiso kushiwo ukuthi ukusetshenziswa kweSigstore izovumela ukusebenzisa izinga elengeziwe lokuvikela ngokumelene nokuhlaselwa okuhloselwe ukufaka esikhundleni sezingxenye zesofthiwe kanye nokuncika (uchungechunge lokunikezela).
Ukuvikela uchungechunge lokuhlinzekwa kwesoftware kungenye yezinselelo ezinkulu zokuphepha ezibhekene nemboni yethu njengamanje. Lesi siphakamiso siyisinyathelo esilandelayo esibalulekile, kodwa ukuxazulula le nselelo ngempela kuzodinga ukuzibophezela nokutshalwa kwezimali okuvela kuwo wonke umphakathi…
Lezi zinguquko zisiza ukuvikela abasebenzisi bomthombo ovulekile ekuhlaselweni kwe-software supply chain; ngamanye amazwi, uma abasebenzisi abanonya bezama ukusabalalisa uhlelo olungayilungele ikhompuyutha ngokwephula i-akhawunti yomnakekeli kanye nokwengeza uhlelo olungayilungele ikhompuyutha ekuncikeni komthombo ovulekile osetshenziswa onjiniyela abaningi.
Isibonelo, ushintsho olusetshenzisiwe luzovikela imithombo yephrojekthi uma kwenzeka i-akhawunti kanjiniyela yokunye okuncikile ku-NPM isengozini futhi umhlaseli akhiqize isibuyekezo sephakheji ngekhodi engalungile.
Kuhle ukusho ukuthi i-Sigstore ayilona nje elinye ithuluzi lokusayina ikhodi, njengoba indlela yayo evamile iwukuqeda isidingo sokuphatha okhiye bokusayina ngokukhipha okhiye besikhathi esifushane ngokusekelwe kobunikazi be-OpenID Connect (OIDC), ngesikhathi esifanayo lapho urekhoda izenzo. encwadini engaguquleki ebizwa ngokuthi i-rekor, ngaphezu kwalokho i-Sigstore inegunya layo lokunikeza izitifiketi elibizwa nge-Fulcio.
Ngenxa yezinga elisha lokuvikela, abathuthukisi bazokwazi ukuxhuma iphakheji ekhiqiziwe nekhodi yomthombo esetshenzisiwe kanye nendawo yokwakha, enikeza umsebenzisi ithuba lokuqinisekisa ukuthi okuqukethwe kwephakheji kuhambisana nokuqukethwe kwemithombo esendaweni yokugcina iphrojekthi.
Ukusetshenziswa kweSigstore yenza lula kakhulu inqubo yokuphatha eyisihluthulelo futhi iqeda ubunkimbinkimbi obuhlobene nokubhalisa, ukuhoxiswa, nokuphathwa kokhiye be-cryptographic. I-Sigstore izithuthukisa ngokuthi Masibethele ukuze uthole ikhodi, ihlinzeka ngezitifiketi zekhodi yokusayina ngokwedijithali namathuluzi okuqinisekisa ngokuzenzakalelayo.
Sivula Isicelo esisha Samazwana (i-RFC) namuhla, esibheka ukubophezela iphakheji endaweni yenqolobane yayo kanye nendawo yokwakha. Uma abalondolozi bephakheji bekhetha le sistimu, abathengi bamaphakheji abo bangaba nokuqiniseka okwengeziwe ukuthi okuqukethwe kwephakheji kufana nokuqukethwe kwendawo yokugcina exhunyiwe.
Esikhundleni sezikhiye ezihlala njalo, I-Sigstore isebenzisa okhiye besikhashana be-ephemeral abakhiqizwa ngokusekelwe kuzimvume. Izinto ezisetshenziselwa isiginesha ziboniswa kurekhodi lomphakathi elivikelwe ngokuguqulwa, okukuvumela ukuthi uqinisekise ukuthi umbhali wesiginesha uyilo kanye abathi unguye, futhi isiginesha yenziwe ngumhlanganyeli ofanayo owayenomthwalo wemfanelo.
Le phrojekthi ibone ukwamukelwa kusenesikhathi namanye ama-ecosystems omphathi wephakheji. Nge-RFC yanamuhla, siphakamisa ukungeza ukwesekwa kokusayinwa kokuphela ukuya ekupheleni kwamaphakheji we-npm kusetshenziswa i-Sigstore. Le nqubo izofaka ukukhiqizwa kwezitifiketi mayelana nokuthi iphasela ladalwa kuphi, nini futhi kanjani, ukuze liqinisekiswe ngokuhamba kwesikhathi.
Ukuqinisekisa ubuqotho kanye nokuvikelwa ekonakaleni kwedatha, Kusetshenziswa isakhiwo sesihlahla se-Merkle Tree lapho igatsha ngalinye lihlola wonke amagatsha namanodi angaphansi nge-hashi ehlangene (isihlahla). Ngokuba ne-hashi elandelanayo, umsebenzisi angaqinisekisa ukufaneleka kwawo wonke umlando wokusebenza, kanye nokunemba kwezimo zesizindalwazi esidlule (i-hashi yokuhlola impande yesimo sesizindalwazi esisha ibalwa ngokucabangela isimo esedlule).
Okokugcina, kufanelekile ukusho ukuthi i-Sigstore ithuthukiswe ngokuhlanganyela yi-Linux Foundation, Google, Red Hat, Purdue University, kanye ne-Chainguard.
Uma ufuna ukwazi okwengeziwe ngayo, ungathintana nemininingwane ku isixhumanisi esilandelayo.