Description
Proposal/Exploration document: Sigstore for Node.js binaries
I believe it is important to reflect on the fundamental problems we are seeking to address and whether Sigstore tooling helps us to solve them. I've heard various community members suggest for us to adopt Sigstore tooling - I'm curious to hear the origins of those suggestions. So, my main ask is:
- What are the problems that we're trying to solve?
- How do we believe Sigstore is solving them?
While there are some potential benefits, from my exploration there are also tradeoffs to consider such as:
- What does this provide to end-users in comparison to our current method of signing and verifying with GPG keys?
- How many users will benefit from it?
- Effort/cost of migrating to new tooling.
- Concerns raised around delegation of trust.
Anyone with an interest, please free to review this Sigstore for Node.js binaries document. The current state of that document is somewhere between a personal scratch-pad of notes and an evolving proposal draft. I hope for that document to eventually help us converge on a decision or outcome of whether we feel Sigstore would add value for the Node.js project to adopt (or not).
cc groups that may have opinions: @nodejs/release, @nodejs/build, @nodejs/security, @nodejs/tsc
Initial suggestion
Chatting with some of the folks working on Rekor (https://rekor.dev/get_started/), they've suggested that it might be something we wish to explore/endorse for Node.js releases.
I will likely not explain it as well as the Rekor folks, but the ledger would be a source of truth for the URL, SHA, Public Key, and Signature of our releases that users can validate against. I believe there is also alerting we could set up - for example, if an old/previous release key was used to sign a release.
They have offered to give us an overview if there's interest. I also believe they've prototyped a ledger for Node.js releases.
cc: @nodejs/build
also cc (from rekor): @bobcallaway @dlorenc @lukehinds