Minimus uses the Sigstore architecture to sign and verify images and their contents. Sigstore is a collection of open-source projects backed by OpenSSF (The Open Source Security Foundation) that includes several technologies: Cosign, Rekor, and Fulcio.

The Sigstore toolchain is used to ensure that all build artifacts are cryptographically signed and tamper-proof. As the software provider, Minimus uses Cosign to sign the code artifacts in order to confirm that the software is trustworthy and comes from a known source. As an end-user, you can use Cosign verify commands to confirm that an image was properly signed by Minimus and to verify that the artifact was not tampered with after it was signed.

Implementing software signature verification as part of your development process is key to following best practices for software supply chain security.

Overview

The following is a general overview of the process used to verify the integrity of software artifacts using the Cosign keyless signing process.

1

Request certificate

The developer requests a certificate from the Fulcio certificate authority. The developer authenticates using Open ID Connect and Fulcio returns the signing key pair.

2

Publish signing certificate

Cosign orchestrates the signing and publishes the public key to the Rekor transparency log.

3

Sign and publish artifact

The developer uses the private keys to sign the artifact, then publishes the signed artifact to end users. The private key is deleted.

4

Verify signature

End users download the signed artifact and verify both aspects:

  • Check the signature in the Rekor transparency log using the public keys generated with Cosign (from step 1).
  • Check that the signing party is in the trust root.

Signing public and private key pair

Fulcio generates a a key pair that includes:

  • Private key for signing data. The signing key is private and extremely short-lived so it doesn’t need to be stored.
  • Public key for verifying the signature. The verification key is public and openly distributed so anyone can use it to verify the signature.

Keyless signing increases trust

To protect against forgery, the private signing key is extremely short-lived, which minimizes its risk of being hijacked or stolen. This technology is known as keyless signing, not as an overstatement, but to emphasize the fact that the keys do not need to be stored. The signing keys, which expire immediately after the artifact is signed, are said to be ephemeral.

The signing key pair is only generated once the user authenticates via OpenID Connect (OIDC), such as Google, GitHub, or Microsoft. This process confirms the identity of the signing party and also ensures that the private key was valid at the time of signing.

Fulcio certificate authority

Fulcio is a certificate authority for developer signatories, inspired by the public certificate authority revolution for SSL certificates led by Let’s Encrypt. Fulcio binds the public verification keys provided by Cosign to the signer’s OIDC token thereby allowing others to look up the identity of the party that signed off on the software. OIDC tokens can be generated using email, GitHub or GitLab workflows, etc. Learn more about OIDC tokens

Fulcio acts as a trusted party that verifies the identity of the signer. You can trust the signature of the image (or SBOM or any other signed code artifact) because you trust Fulcio, the certificate authority.

Rekor log

Rekor is Sigstore’s signature transparency log, where each entry in the log provides auditability for a signed artifact. A public instance of Rekor is maintained by the Sigstore community. Rekor provides an immutable transaction log enabling users to verify the integrity of their downloaded software artifacts. Rekor stores records of artifact metadata, providing transparency for signatures so users can monitor and detect any tampering of the software supply chain.