ENH,BLD,SEC: sigstore, SLSA

Users can verify lineageOS-built software artifacts with sigstore (and someday, SLSA) manually and with the lineageos updater android app (because sha256 without crytographic signatures is not good enough according to TUF, Sigstore, and SLSA)

https://wiki.lineageos.org/signing_builds
[ ] Decide whether to start with SLSA, Sigstore, or just TUF
- SLSA supports Sigstore
- Sigstore depends on TUF to be verified itself
- blockcerts/cert-verifier-js is another approach (built with W3C Verfiable Credentials and W3C DID Decentralized Identifier keys instead of OIDC OpenID Connect)
[ ] Sign LineageOS build list json files
- https://download.lineageos.org/api/v2/devices/sunfish/builds
[ ] Sign LineageOS CI ROM builds
- [ ] Upload artifact signatures to a log
[ ] Update lineageos-infra/updater?
[ ] Verify LineageOS ROM downloads with a (python?) CLI tool by default, and optionally
- [ ] allow skipping tuf||sigstore verfication for UNOFFICIAL custom builds
- [ ] display a note about unsigned UNOFFICIAL custom builds
[ ] Verify LineageOS ROM downloads with the LineageOS updater android app
- sigstore-java is not considered production-ready
- sigstore-js and tuf-js are IIUC

TUF

TUF: The Update Framework

src: https://github.com/theupdateframework
web: https://theupdateframework.io/
https://github.com/topics/tuf
- https://github.com/engineerd/wasm-to-oci
spec: https://theupdateframework.github.io/specification/latest/
https://theupdateframework.github.io/specification/latest/#goals-to-protect-against-specific-attacks
https://theupdateframework.io/news/
TUF implementations
- PyPI has TUF & Sigstore
- Docker Notary has TUF
- OCI Container Image repos may or may not support TUF

python-tuf

src: https://github.com/theupdateframework/python-tuf
docs: https://github.com/theupdateframework/python-tuf/tree/develop/examples/
tuf-js
src: https://github.com/theupdateframework/tuf-js
go-tuf
src: https://github.com/theupdateframework/go-tuf

Sigstore

web: https://sigstore.dev/
status: https://status.sigstore.dev/
src: https://github.com/sigstore/
gh topic: https://github.com/topics/sigstore
- https://github.com/sigstore/gitsign#what-data-does-gitsign-store
docs: https://docs.sigstore.dev/
https://docs.sigstore.dev/#how-to-use-sigstore
"How to Use Sigstore without Sigstore" (2023) https://eprint.iacr.org/2023/003.pdf
The CLIs, when used to sign a software artifact, basically run the following procedure: 1) Generate a disposable key pair 2) Obtain a customizable OIDC token (e.g., for a workflow, VM, or Gmail user) 3) Request a public-key certificate from Fulcio using the key pair and the token 4) Digitally sign (the hash of) the software artifact using the private key 5) Timestamp the signature using Rekor 6) Output the certificate, the digital signature from step 4, and the timestamp data from step 5

Then the authenticity of a software artifact can be verified offline with the following proofs: a) The output from step 6 b) The root certificate of Fulcio c) The public key that Rekor used to sign the timestamp data
- https://github.com/sigstore/sigstore-python/issues/483

fulcio

src: https://github.com/sigstore/fulcio

sigstore OIDC PKI A Free-to-Use CA For Code Signing

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address.

Fulcio only issues short-lived certificates that are valid for 10 minutes.
https://fulcio.sigstore.dev/
https://fulcio.sigstore.dev/api/v2/trustBundle

rekor

src: https://github.com/sigstore/rekor

The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.

lineageos-infra / updater

ENH,BLD,SEC: sigstore, SLSA #68

TUF

python-tuf

tuf-js

go-tuf

Sigstore

fulcio

rekor

cosign

sigstore-js

sigstore-java

sigstore-python

SLSA