Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add in-toto metadata to python-tuf releases #529

Open
vladimir-v-diaz opened this issue Nov 10, 2017 · 2 comments · May be fixed by #2000
Open

Add in-toto metadata to python-tuf releases #529

vladimir-v-diaz opened this issue Nov 10, 2017 · 2 comments · May be fixed by #2000
Labels
enhancement

Comments

@vladimir-v-diaz
Copy link
Contributor

vladimir-v-diaz commented Nov 10, 2017
edited

Description of issue or feature request:
Project releases should include in-toto metadata that can be used to validate the integrity of the release's software supply chain.

Current behavior:
Developer signatures can be provided for each release of the project, both on GitHub and PyPI. However, these signatures do not guarantee that some part of the source->release process was
not compromised.

Expected behavior:
The packaged release should include metadata and a way to verify that the project was packaged as intended. All steps of the source->release procedure should be properly signed and confirmed to be valid, as defined by the project developers.
@vladimir-v-diaz vladimir-v-diaz changed the title Add in-toto metadata to releases to validate the integrity of its software supply chain Add in-toto metadata to releases to validate the integrity of their software supply chain Nov 10, 2017
@vladimir-v-diaz vladimir-v-diaz added the good first issue Bite-sized items for first time contributors label Nov 30, 2017
@joshuagl joshuagl added this to the 1.0.0 milestone Jul 7, 2020
@joshuagl joshuagl removed this from the 1.0.0 milestone Sep 8, 2020
@jku
Copy link
Member

jku commented Feb 17, 2022
edited

I'm going to remove "good first issue": The description may be clear to an in-toto expert but as an example I wouldn't have any idea where to start implementing this.

Also editing the title to what I think the suggestion is

@jku jku removed the good first issue Bite-sized items for first time contributors label Feb 17, 2022
@jku jku changed the title Add in-toto metadata to releases to validate the integrity of their software supply chain Add in-toto metadata to python-tuf releases Feb 17, 2022
@lukpueh lukpueh mentioned this issue Mar 15, 2022
Closed
@lukpueh
Copy link
Member

lukpueh commented Mar 15, 2022

With python-tuf builds becoming reproducible (see #1269) we can provide multiple in-toto links for any given release build each signed with a different maintainer key, and create a corresponding in-toto layout that encodes the key authorization and a signature threshold requirement.

See apt-transport-in-toto for a detailed description of this scenario (note, the tool deals with Debian packages and therefor includes a lot of code that hooks into apt, but the in-toto metadata scaffolding would be alike for Python wheels)

@lukpueh lukpueh mentioned this issue Apr 7, 2022
Merged
3 tasks
@lukpueh lukpueh mentioned this issue Apr 21, 2022
Open
@lukpueh lukpueh linked a pull request May 9, 2022 that will close this issue
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PoC: Release tuf with in-toto attestations and supply chain definition lukpueh/tuf
4 participants
@jku @lukpueh @vladimir-v-diaz @joshuagl