Consider endorsing/using Sigstore

[BethGriggs]

Proposal/Exploration document: Sigstore for Node.js binaries

I believe it is important to reflect on the fundamental problems we are seeking to address and whether Sigstore tooling helps us to solve them. I've heard various community members suggest for us to adopt Sigstore tooling - I'm curious to hear the origins of those suggestions. So, my main ask is:

• What are the problems that we're trying to solve?
• How do we believe Sigstore is solving them?

While there are some potential benefits, from my exploration there are also tradeoffs to consider such as:

• What does this provide to end-users in comparison to our current method of signing and verifying with GPG keys?
• How many users will benefit from it?
• Effort/cost of migrating to new tooling.
• Concerns raised around delegation of trust.

Anyone with an interest, please free to review this Sigstore for Node.js binaries document. The current state of that document is somewhere between a personal scratch-pad of notes and an evolving proposal draft. I hope for that document to eventually help us converge on a decision or outcome of whether we feel Sigstore would add value for the Node.js project to adopt (or not).

cc groups that may have opinions: @nodejs/release, @nodejs/build, @nodejs/security, @nodejs/tsc

---

Initial suggestion

Chatting with some of the folks working on Rekor (https://rekor.dev/get_started/), they've suggested that it might be something we wish to explore/endorse for Node.js releases.

I will likely not explain it as well as the Rekor folks, but the ledger would be a source of truth for the URL, SHA, Public Key, and Signature of our releases that users can validate against. I believe there is also alerting we could set up - for example, if an old/previous release key was used to sign a release.

They have offered to give us an overview if there's interest. I also believe they've prototyped a ledger for Node.js releases.

cc: @nodejs/build

also cc (from rekor): @bobcallaway @dlorenc @lukehinds

[lukehinds]

Thanks for raising this @BethGriggs , sure we are happy to come onto a call or we can take questions in here, whichever the community prefers.

[richardlau]

There's a presentation https://www.youtube.com/watch?v=3LKHKpcH2x8

[BethGriggs]

I have been exploring the feasibility of utilizing Sigstore tooling for signing Node.js binaries (with initial assistance from @lukehinds).

While there are some potential benefits, from my exploration there are also tradeoffs to consider such as:

• What does this provide to end-users in comparison to our current method of signing and verifying with GPG keys?
• How many users will benefit from it?
• Effort/cost of migrating to new tooling.
• Concerns raised around delegation of trust.

I believe it is important to reflect on the fundamental problems we are seeking to address and whether Sigstore tooling helps us to solve them. I've heard various community members suggest for us to adopt Sigstore tooling - I'm curious to hear the origins of those suggestions. So, my main ask is:

• What are the problems that we're trying to solve?
• How do we believe Sigstore is solving them?

Anyone with an interest, please free to review this Sigstore for Node.js binaries document. The current state of that document is somewhere between a personal scratch-pad of notes and an evolving proposal draft. I hope for that document to eventually help us converge on a decision or outcome of whether we feel Sigstore would add value for the Node.js project to adopt (or not).

cc groups that may have opinions: @nodejs/release, @nodejs/build, @nodejs/tsc

^{I'm going to add this to the issue description so it's not as buried.}

[RafaelGSS]

cc :@nodejs/security-wg