• Catching malicious package releases using a transparency log We’re getting Sigstore’s rekor-monitor ready for production use, making it easier for developers to detect tampering and unauthorized uses of their identities in the Rekor transparency log. • This work, funded by the OpenSSF, includes support for the new Rekor v2 log, certificate validation, and integration with The Update Framework (TUF). • For package maintainers that publish attestations signed using Sigstore (as supported by PyPI and npm), monitoring the Rekor log can help them quickly become aware of a compromise of their release process by notifying them of new signing events related to the package they maintain. • Transparency logs like Rekor provide a critical security function: they create append-only, tamper-evident records that are easy to monitor. • But having entries in a log doesn’t mean that they’re trustworthy by default. • A compromised identity could be used to sign metadata, with the malicious entry recorded in the log.
Article Summaries:
- Sigstore has released a production‑ready rekor‑monitor tool that lets developers watch the Rekor transparency log for suspicious signing activity. The update adds support for Rekor v2, certificate validation, and integration with The Update Framework (TUF). Package maintainers who publish Sigstore‑signed attestations on PyPI or npm can now receive alerts when new entries involving their packages appear, helping them spot compromised release processes early. Transparency logs, such as Rekor and Go’s checksum database, provide append‑only, tamper‑evident records that can be monitored by independent witnesses, reducing reliance on potentially vulnerable databases.
Sources: