Trail of Bits Blog
Follow
Catching malicious package releases using a transparency log
The project focuses on enhancing Sigstore's rekor-monitor for production use, funded by the OpenSSF, to detect tampering and unauthorized identity use in the Rekor log. Rekor acts as a transparency log, creating tamper-evident records, but individual entries aren't inherently trustworthy without monitoring. The goal is to make it easy for developers to actively monitor the log for unexpected entries, especially regarding package maintainers. Transparency logs verify that digests match the intended dependency, utilizing Merkle trees. Monitoring is crucial, and rekor-monitor allows users to check for entry tampering and unexpected identity use within the log. For example, a maintainer can monitor for their identity to detect compromise during package uploads. This project has implemented new features like Rekor v2 log support, certificate validation, and integration with The Update Framework (TUF). This also includes a reusable GitHub workflow for easier monitoring by anyone with a repository. Future plans involve a hosted service to provide alerts for new log entries based on users' identities, akin to GopherWatch. The project, funded by OpenSSF, aims to improve the security of open-source software by securing the Sigstore ecosystem.
