Sigstore Basics

Let’s start with a really simple example of keyless signing using sigstore:

First, install sigstore if you don’t already have it. E.g. with `brew:

brew install sigstore

Then, sign a file:

sigstore sign README.md

This should ask you to authenticate with an IdP to obtain an OIDC identity token. Behind the scenes, Sigstore creates a new local ephemeral keypair, then uses the OIDC identity token to create a Certificate Signing Request for the keypair which it sends to Fulcio. Sigstore receives the Signed Certificate Timestamp (SCT), Certificate and intermediate chain from Fulcio. Sigtore then signs the input using the ephemeral private key, publishes the signature, the inputs hash, and the signing certificate to the certificate transparency log - Rekor. Finally Sigstore saves the verifications materials locally, in a Sigstore bundle at README.md.sigstore.json.

Signing commits with GPG is a useful technique for verifying the authenticity and integrity of code changes - here’s how you can set it up.

Creating keys

First you’ll need to create a key-pair to start signing commits. Run the following command and follow the prompts (if in doubt accept the default settings).

gpg --full-generate-key

This should give you a primary key for signing and for certifying other keys, and a subkey for encryption:

ReDoS - the security threat that no-one knows about. At least that how it seems, every time I talk to developers about ReDoS and get blank looks. Or when the results of a code audit highlight a bunch of evil regular expressions.

We need to talk about ReDoS. In this post, I’ll explain what ReDoS actually is, and what developers can do about it.