Produce cryptographic signing guide for package managers

[znewman01]

Lots of ink has been spilled on cryptographic signing in package managers (see "Misc. references" below). And we've certainly had our fair share of discussion in this working group. Still, new package managers pop up every day and must rehash many of these conversations for themselves (not to mention existing package managers that want to add security features after-the-fact).

Subtleties involve:

• Do developers need to manage private keys? Or is there some kind of PKI (maybe Sigstore)?
• What's the difference between community- and curated- package repositories (i.e., anybody can upload vs. a small set of trusted maintainers)?
• Privacy/GDPR concerns: Can we avoid having to store emails/other PII? If we do store them, how can we handle takedown requests?
• Can we enable auditability with transparency logs?
• For repositories that host binary artifacts, how do we link binaries to source (e.g. trusted builders)?

This group is in a good position to produce some documentation (I've even written some about this though it's not in a digestible format) that covers:

• Design considerations for a software signing system for a package repository.
• Various exemplar signing system designs: distro package manager with small number of maintainers, large-scale community repo, etc.
• Paths to incremental adoption.

I don't think we want to be too prescriptive, but we can help focus some of these discussions and make sure folks have all the relevant context when making decisions, plus even give step-by-step adoption guidelines.

Please feel free to add other references, other open questions, and (best) volunteer to coordinate this!

Misc. references

(Due to personal interest, I pay most attention to the proposals that involve Sigstore, but feel free to suggest others.)

• https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/
• https://theupdateframework.com/ and associated papers
• https://internals.rust-lang.org/t/pre-rfc-using-sigstore-for-signing-and-verifying-crates/18115
• https://github.com/rubygems/rfcs/pull/37
• https://github.com/npm/rfcs/pull/626
• https://github.com/pypi/warehouse/issues/3810
• https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
• https://wiki.archlinux.org/title/DeveloperWiki:Package_signing
• https://link.springer.com/chapter/10.1007/978-3-030-00305-0_8
• https://blog.tidelift.com/the-state-of-package-signing-across-package-managers
• https://github.com/bytecodealliance/SIG-Registries/discussions/7
• https://peps.python.org/pep-0458/ and https://peps.python.org/pep-0480/

[feelepxyz]

@znewman01 great initiative! I would love to help out here and share any learnings from GitHub and working on provenance for npm.

[steiza]

We covered some, but not all, of this content in #17.

There were some requests for additional content on https://github.com/ossf/wg-securing-software-repos/pull/17#issuecomment-1627388801 that we could think about addressing in future docs.