Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check whether the detached signature file meets the OpenSSF Scorecard check criteria or not #974

Open
FeynmanZhou opened this issue Jun 18, 2024 · 2 comments
Open

Check whether the detached signature file meets the OpenSSF Scorecard check criteria or not #974

FeynmanZhou opened this issue Jun 18, 2024 · 2 comments
Assignees
@priteshbandi
Labels
enhancement New feature or request v2 Things belongs to version 2.x
Milestone
2.0.0

Comments

@FeynmanZhou
Copy link
Member

What is not working as expected?

CNCF provides a tool Clomonitor to run OpenSSF Security Best Practice checks on CNCF projects. There is a signing related check that has not been passed in the security check items. See https://clomonitor.io/projects/cncf/notary#notation_security.

According to OpenSSF Scorecard signing check criteria, only these signature file formats *.asc (pgp), *.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev/) could be detected by OpenSSF Scorecard check tool.

image

According to our current design and spec, Notation blog signing generates the signatures using .sig.jws and .sig.cose file format. We need to check whether these detached signature file meets the OpenSSF Scorecard check criteria or not.

What did you expect to happen?

OpenSSF Security Best Practice check on the signing part should be passed after the Notation release assets are signed by Notation. Notary Project signature file should meet the OpenSSF Scorecard OpenSSF Scorecard signing check criteria.

How can we reproduce it?

See https://clomonitor.io/projects/cncf/notary#notation_security.

Describe your environment

N/A

What is the version of your Notation CLI or Notation Library?

v1.1.1
@FeynmanZhou FeynmanZhou added the triage Need to triage label Jun 18, 2024
@yizha1 yizha1 added enhancement New feature or request and removed triage Need to triage labels Jun 21, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

@github-actions github-actions bot added the Stale label Aug 21, 2024
@yizha1 yizha1 removed the Stale label Sep 9, 2024
@yizha1 yizha1 mentioned this issue Oct 14, 2024
Open
@yizha1 yizha1 added the v2 Things belongs to version 2.x label Oct 15, 2024
@yizha1 yizha1 added this to the 2.0.0 milestone Oct 15, 2024
@shizhMSFT shizhMSFT mentioned this issue Oct 17, 2024
Open
@Two-Hearts
Copy link
Contributor

Since *.sig is an accepted file format, can we switch to *.<signature_env_format>.sig? (currently, we have *.sig.<signature_env_format>)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@priteshbandi priteshbandi

Labels
enhancement New feature or request v2 Things belongs to version 2.x
Projects
Notary Project Planning Board
Status: Todo
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@priteshbandi @FeynmanZhou @yizha1 @Two-Hearts