From ef2e4e16961ab1ebc82dc8042951d3b07435d982 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Sun, 10 Oct 2021 20:51:02 +0200 Subject: removed what sigsum logging is and how it works What sigsum logging is and how it works is now properly covered by design.md and api.md. It is not needed in this repository as well. --- README.md | 89 +++++++++++++++++++++------------------------------------------ 1 file changed, 29 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index 08afae2..44171cd 100644 --- a/README.md +++ b/README.md @@ -1,73 +1,42 @@ # sigsum-log-go -Sigsum logging brings transparency to **sig**ned check**sum**s. What a -checksum represents is up to you. For example, it could be the cryptographic -hash of a [provenance file](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html), -a [Firefox binary](https://wiki.mozilla.org/Security/Binary_Transparency), or a -text document. - -You can use sigsum logging to: -1. Discover which checksum signatures were produced by what secret signing keys. -2. Be sure that everyone observes the same signed checksums. - -## How it works -Suppose that you develop software and publish binaries. You sign those binaries -and make them available to users in a package repository and on your website. -You are committed to distribute the same signed binaries to every user. That is -an easy claim to make. However, word is cheap and sometimes things go wrong. -How would you even know if your signing infrastructure got compromised? A few -select users might already receive maliciously signed binaries that include a -backdoor. This is where we can help by adding transparency. - -For each binary you can log a signed checksum that corresponds to that binary. -If such a sigsum appears in the log that you did not expect: excellent, now -you know that your signing infrastructure was compromised at some point. -Similarly, you can also detect if a binary from your website or package -repository misses a corresponding log entry by inspecting the log. The claim -that the same binaries are published for everyone can be _verified_. - -Starting to apply the pattern of transparent logging is already an improvement -without any end-user enforcement. It becomes easier to detect honest mistakes -and attacks against your website or package repository. - -To make the most out of a sigsum log, end-users should start to enforce public -logging in the future. This means that a binary in the above example would be -_rejected_ unless a corresponding sigsum is publicly logged. - -Please refer to our -[design document](https://git.sigsum.org/sigsum/tree/doc/design.md) and -[API specification](https://git.sigsum.org/sigsum/tree/doc/api.md) -for additional details. +This repository provides a + [Trillian](https://transparency.dev/#trillian) + [personality](https://github.com/google/trillian/blob/master/docs/Personalities.md) +that implements the sigsum/v0 + [design](https://git.sigsum.org/sigsum/tree/doc/design.md) +and + [API](https://git.sigsum.org/sigsum/tree/doc/api.md). ## Public prototype -We implemented sigsum logging as a [Trillian](https://transparency.dev/#trillian) -[personality](https://github.com/google/trillian/blob/master/docs/Personalities.md). -A public prototype is up and running with zero promises of uptime, stability, -etc. -The log's base URL is http://poc.sigsum.org:4780/st/v0. -The log's public verification key is -`bc9308dab23781b8a13d59a9e67bc1b8c1585550e72956525a20e479b1f74404`. -The log's shard interval is [X, Y]. - -An experimental [witness](https://github.com/sigsum/sigsum-witness-py) is also -up and running with zero-promises of uptime, stability, etc. -The public verification key is -`777528f5fd96f95713b8c2bb48bce2c83628e39ad3bfbd95bc0045b143fe5c34`. - -You can talk to the log by passing ASCII key-value pairs. For example, -fetch a tree head and a log entry: +There is a public prototype that is up and running with zero promises of uptime, +stability, etc. Relevant log information: +- Base URL: https://poc.sigsum.org +- Public key: `bc9308dab23781b8a13d59a9e67bc1b8c1585550e72956525a20e479b1f74404` +- Shard interval: [X, Y] + +A [witness](https://github.com/sigsum/sigsum-witness-py) is also up and running +with zero-promises of uptime, stability, etc. Relevant witness information: +- Public key: `777528f5fd96f95713b8c2bb48bce2c83628e39ad3bfbd95bc0045b143fe5c34`. + +As described in our design and API documentation, you can talk to the log by +passing ASCII key-value pairs. For example, fetch a cosigned tree head and a +log entry: ``` -$ curl http://poc.sigsum.org:4780/sigsum/v0/get-tree-head-latest -timestamp=1632956637 +$ curl https://poc.sigsum.org/sigsum/v0/get-tree-head-cosigned +timestamp=1633888287 tree_size=17 root_hash=51ce7e8e7fa98d48ab84750ae9dcbabda268fbcca74ab907836a35a513396f9d -signature=c4bb2429410523d109540e0bd47e46b46bce6b233eb895fce4c761e60f15ac8a9d245153e3eaf30c7360b0f7bd49a6f7e4327bb1e7dc2396535726191b42c90b +signature=9c1c5ffab45e6bc6120c060b47520688659e7ad581b7db1f591442b9498fbaff7bd6a34d874a2809c71fb0996c7b71998a092f80ebd2dd5c9d3e21c5cf2f880d +key_hash=35c1364f52d2de9e8b002e6b1c0b376da5ccef65442654eb51d76e7aa2d22d74 +cosignature=2e058af6b6c26b470d1921e848b3479b1893417eed8215aa1eeb2dc089487fd38dd5d38d18297d61bd263826888a43c28d76c73d991a38f4d93e8731aa83200f $ -$ printf "start_size=0\nend_size=0\n" | curl --data-binary @- http://poc.sigsum.org:4780/sigsum/v0/get-leaves +$ printf "start_size=0\nend_size=0\n" | curl --data-binary @- https://poc.sigsum.org/sigsum/v0/get-leaves shard_hint=0 checksum=0000000000000000000000000000000000000000000000000000000000000000 signature=0e0424c7288dc8ebec6b2ebd45e14e7d7f86dd7b0abc03861976a1c0ad8ca6120d4efd58aeab167e5e84fcffd0fab5861ceae85dec7f4e244e7465e41c5d5207 key_hash=9d6c91319b27ff58043ff6e6e654438a4ca15ee11dd2780b63211058b274f1f6 ``` -We are currently working on tooling that makes it easier to interact with the -log. +Go tooling that makes it easier to interact with sigsum logs will appear in a +separate repository in the near future, see + [sigsum-lib-go](https://git.sigsum.org/sigsum-lib-go/). -- cgit v1.2.3