stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add Christmass advisories

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-25 20:15:19 +02:00
parent ad7fbc47a1
commit d71853ad7e
8 changed files with 654 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md Normal file
View File

@@ -0,0 +1,67 @@
Heres a practical, lowfriction way to modernize how you sign and verify build “verdicts” in CI/CD using Sigstore—no longlived keys, offlinefriendly, and easy to audit.
---
### 1) Use **keyless** signing in CI
* In your pipeline, obtain an OIDC token (from your CI runner) and let **Fulcio** issue a shortlived X.509 codesigning cert (~10 minutes). You sign with the ephemeral key; cert + signature are logged to Rekor. ([Sigstore Blog][1])
**Why:** no key escrow in CI, nothing persistent to steal, and every signature is timebound + transparencylogged.
---
### 2) Keep one **hardwarebacked org key** only for special cases
* Reserve a physical HSM/YubiKey (or KMS) key for:
a) resigning monthly bundles (see §4), and
b) offline/airgapped verification workflows where a trust anchor is needed.
Cosign supports disconnected/offline verification patterns and mirroring the proof data. ([Sigstore][2])
---
### 3) Make “verdicts” firstclass OCI attestations
* Emit DSSE/attestations (SBOM deltas, reachability graphs, policy results) as OCIattached artifacts and sign them with keyless in CI. (Cosign is designed to sign/verify arbitrary OCI artifacts alongside images.) ([Artifact Hub][3])
---
### 4) Publish a **rotation & refresh policy**
* Every month, collect older attestations and **resign into a longlived “bundle”** (plus timestamps) using the org key. This keeps proofs verifiable over years—even if the 10minute certs expire—because the bundle contains the cert chain, Rekor inclusion proof, and timestamps suitable for **offline** verification. ([Trustification][4])
**Suggested SLOs**
* CI keyless cert TTL: 10 minutes (Fulcio default). ([Sigstore][5])
* Bundle cadence: monthly (or per release); retain N=24 months.
---
### 5) Offline / airgapped verification
* Mirror the image + attestation + Rekor proof (or bundle) into the disconnected registry. Verify with `cosign verify` using the mirrored materials—no internet needed. (Multiple guides show fully disconnected OpenShift/airgapped flows.) ([Red Hat Developer][6])
---
### 6) Address common concerns (“myths”)
* “Shortlived certs will break verification later.” → They dont: you verify against the Rekor proof/bundle, not live cert validity. ([Trustification][4])
* “Keyless means less security.” → The opposite: no static secrets in CI; certs expire in ~10 minutes; identity bound via OIDC and logged. ([Chainguard][7])
---
### Minimal rollout checklist
* [ ] Enable OIDC on your CI runners; test `cosign sign --identity-token ...`
* [ ] Enforce identity/issuer in policy: `--certificate-identity` + `--certificate-oidc-issuer` at verify time. ([Sigstore][2])
* [ ] Set up a monthly job to build **Sigstore bundles** from past attestations and resign with the org key. ([Trustification][4])
* [ ] For offline sites: mirror images + attestations + bundles; verify with `cosign verify` entirely offline. ([Red Hat Developer][6])
Want me to draft the exact cosign commands and a GitLab/GitHub Actions snippet for your StellaOps pipelines (keyless sign, verify gates, monthly bundling, and an offline verification playbook)?
[1]: https://blog.sigstore.dev/trusted-time/?utm_source=chatgpt.com "Trusted Time in Sigstore"
[2]: https://docs.sigstore.dev/cosign/verifying/verify/?utm_source=chatgpt.com "Verifying Signatures - Cosign"
[3]: https://artifacthub.io/packages/container/cosign/cosign/latest?utm_source=chatgpt.com "cosign latest · sigstore/cosign"
[4]: https://trustification.io/blog/?utm_source=chatgpt.com "Blog"
[5]: https://docs.sigstore.dev/certificate_authority/overview/?utm_source=chatgpt.com "Fulcio"
[6]: https://developers.redhat.com/articles/2025/08/27/how-verify-container-signatures-disconnected-openshift?utm_source=chatgpt.com "How to verify container signatures in disconnected OpenShift"
[7]: https://www.chainguard.dev/unchained/life-of-a-sigstore-signature?utm_source=chatgpt.com "Life of a Sigstore signature"