12/2/2022

Comparing in-toto and Sigstore: Two Approaches to Software Supply Chain Security

Author: Cole Kennedy

in-toto vs sigstore

As software becomes increasingly essential in our lives and businesses, ensuring its security and integrity is crucial. One way to protect software supply chains is through in-toto and sigstore. We'll compare the two approaches, examining their key features, differences, and potential uses.

What is sigstore?

Sigstore is a public service for securely storing and verifying software signatures. It was created by Luke Hinds of RedHat, using technology based on a Merkle tree to create a tamper-proof record of the software development process. This allows organizations to verify the authenticity of the software they use, ensuring it has not been modified or compromised.

In-toto focuses on ensuring the integrity of the software development process, while sigstore focuses on securely storing and verifying software signatures.

How does sigstore work?

Sigstore employs cryptography to create a secure and verifiable record of the software development process. Relevant parties (such as developers and build servers) can use their OIDC identity to sign the software, creating a digital signature. These signatures are then stored on the sigstore platform, guaranteeing their integrity and immutability.

When an organization wants to verify the authenticity of software, they can use the sigstore platform to check the parties who signed it. This allows the organization to trust that the software they are using is certified by its author.

What is in-toto?

In-toto is an open-source framework for ensuring the integrity of software supply chains. Researchers at NYU Secure Systems Lab developed it to provide a verifiable record of the steps taken in the software development process. This allows organizations to ensure their software has not been tampered with or compromised.

TestifySec’s Witness is a supported, open-source implementation of in-toto that makes it easy for organizations to secure their software supply chains.

How does in-toto work?

In-toto allows organizations to specify the steps that should be taken in the software development process and verify that these steps are followed. It does this through cryptographic techniques such as digital signatures and hash functions.

For example, suppose an organization wants to ensure software is only built using specific tools and libraries. They can specify these requirements in an in-toto layout. The organization can check this record to ensure the software has not been tampered with or compromised.

Key differences between in-toto and sigstore

Although both in-toto and sigstore aim to ensure the security and integrity of software supply chains, there are some key differences between the two approaches:

  • In-toto focuses on ensuring the integrity of the software development process, while sigstore focuses on securely storing and verifying software signatures.
  • In-toto is an open-source framework, while sigstore is a public service.
  • In-toto uses cryptographic techniques, such as digital signatures and hash functions, to verify the steps taken in the development process. Sigstore uses cryptography to create digital signatures of the software and its metadata, which are then stored.

Why High Compliance Organizations Need in-toto

In-toto is an open-source framework that can help enterprises ensure the integrity of their software supply chains. It allows organizations to specify the steps that should be taken in the software development process and verify that these steps are followed through cryptographic techniques, such as digital signatures and hash functions.

With in-toto, enterprises can create a verifiable record of the steps taken in the software development process, ensuring that their software has not been tampered with or compromised. This can help enterprises avoid using maliciously modified or improperly tested software, reducing the risk of security breaches and other vulnerabilities.

In-toto also enables enterprises to verify the identities of the parties involved in the software development process. This ensures that only trusted and authorized parties create and maintain enterprise software, enhancing the security of the supply chain.

Overall, in-toto is a valuable tool for enterprises looking to improve the security of their software supply chains. It ensures the integrity of the development process and verifies the parties' identities, reducing the risk of security breaches and other vulnerabilities.

How in-toto detects tampering

When an organization specifies the steps that should be taken in the software development process using in-toto, the relevant parties (such as developers and build servers) can use their private keys to sign the in-toto metadata at each step. This creates a digital signature that can be verified to ensure that the software has not been tampered with.

For example, if an attacker were to modify the software in some way, the digital signature would no longer match the software and the tampering would be detected. In-toto also allows organizations to verify the identities of the parties involved in the development process, further enhancing the security of the supply chain.

in-toto detects tampering

Getting started with in-toto

To use in-toto to ensure that your CI/CD pipelines are compliant, you would need to do the following:

  • Specify the steps that should be taken in your software development process in an in-toto layout or Witness policy. This layout should include any requirements or constraints you want to enforce, such as which tools and libraries should be used, who is allowed to make changes to the code, and so on.

  • Integrate in-toto into your CI/CD pipelines by adding it to the steps in your pipeline. This step should generate the in-toto metadata for each step in the pipeline and use the private keys of the relevant parties (such as developers and build servers) to sign this metadata.

  • Verify the in-toto link metadata at each step in the pipeline to ensure that the steps taken in the development process were the ones that were intended. This can be done using the public keys of the parties who signed the metadata and can be automated as part of the pipeline.

By following these steps, you can use in-toto to ensure that your CI/CD pipelines comply with the requirements and constraints specified in the in-toto layout. This can help to reduce the risks of software supply chain attacks and ensure the security and integrity of the software distribution and deployment processes.

Witness

TestifySec's Witness is a supported, open-source implementation of in-toto that makes it easy for organizations to secure their software supply chains. With integrations for GitLab and GitHub, a key server for secure keyless signing, and an attestation store to distribute evidence, Witness has everything you need to protect your software. Visit our Witness code repository at https://github.com/testifysec/witness or contact us to discuss your organization’s requirements and learn how Witness can help keep your software safe.