Skip to content

Tracking: Signing & Trust v1 #24

Description

@michael-herwig

Goal

Secure defaults for OCX packages: publisher signs after push, consumer verifies by default, typosquat defeated.

  1. Sign + verify via keyless Sigstore — real pipeline over the PR feat(cli,oci): OCI referrers sign + verify (slice 1) #87 scaffold (ocx package sign / ocx package verify; sigstore-rs, Rekor v1 + TUF-distributed trust root).
  2. Registry capability handling — OCI 1.1 Referrers API detection, clean actionable error, no tag fallback.
  3. Identity-pinned verify via [trust.policy] in ocx.toml — defeats typosquatting.
  4. Offline / air-gapped trust-root story — trust-root cache, OCX_OFFLINE semantics, OCX_SIGSTORE_TUF_ROOT override.
  5. Auto-verify on install / pull (policy-gated) — promotion from "command exists" to "default secure".
  6. cosign v3 interop — cosign 3.x reads OCX signatures and vice versa.

Sub-issues

Dependency order (#195 runs parallel to the #194 spike):

External (pending, not milestone-gated):

Threat coverage (post-milestone)

Threat Defense Issue
Compromised registry OCI Referrers API + Sigstore verify #194
Typosquatting Identity pinning in [trust.policy] #98
Mirror-bundle tampering Mirror re-sign + attest (pending, external) #105 (closed) → ocx-sh/ocx-mirror#7

SBOM, SLSA provenance, and OSV scanning moved to milestone B — tracker #199.

Non-goals (deferred)

  • ocx package push --sign (sign-on-push) — v1 flow is sign after push as a separate step; a combined flag is explicitly deferred.
  • cosign pre-3.0 consumer compat — dropped. Floor is cosign >= 3.0 (referrers-mode default, .sig tags deprecated upstream). OCX is referrers-only; never add a tag-schema fallback. Document the floor in the user guide / threat model.
  • Notation parallel implementation (cosign-only in v1).
  • PKCS#11 / YubiKey signing UX (keyless OIDC covers public OCX.sh; hardware keys are enterprise v2 concern).
  • Private TUF trust root (use Sigstore's TUF-distributed root in v1; bring-your-own-TUF deferred).
  • Reproducible-builds rebuilder integration.
  • SLSA VSA (Verification Summary Attestation).

Test fixtures

All acceptance tests reuse the fake Fulcio + Rekor + OIDC stack from PR #87 (test/tests/fixtures/fake_sigstore.py). Fixture extensions kept minimal — reuse over duplication.

Done when

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ociSubsystem: ocisecuritySecurity-relevant change or hardening

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions