Introduction to Plugin Signing
At CarphaCom, we take the security of our plugins seriously. As part of our commitment to providing a secure and trustworthy platform, we have implemented a robust plugin signing process. Every plugin tarball is signed by the developer's key, counter-signed by the federation hub, hash-pinned in the manifest, and verified at install. This process ensures the authenticity and integrity of our plugins, giving our users confidence in the software they rely on.
The Signing Process
The signing process involves several steps. First, the plugin developer signs the plugin tarball with their private key. This creates a digital signature that can be verified by the federation hub. The federation hub then counter-signs the plugin with its own private key, adding an additional layer of verification. The hash of the plugin is also pinned in the manifest, ensuring that any tampering with the plugin will be detected.
The use of a transparency log adds an extra layer of security to the process. A transparency log is a tamper-evident record of all changes made to the plugin. This allows users to verify that the plugin has not been tampered with during transmission or storage. The transparency log is maintained by the federation hub and is available for public inspection.
SBOM and Transparency
A Software Bill of Materials (SBOM) is a list of all the components used to build a piece of software. At CarphaCom, we include an SBOM with every plugin, providing users with a detailed inventory of all the components used to build the plugin. This information is essential for identifying potential security vulnerabilities and ensuring compliance with regulatory requirements.
Transparency is a key component of our plugin signing process. We believe that users have the right to know exactly what they are installing on their systems. By providing a detailed SBOM and maintaining a transparency log, we give users the information they need to make informed decisions about the software they use.
Benefits of Plugin Signing
- Authenticity: Plugin signing ensures that the plugin comes from a trusted source and has not been tampered with during transmission or storage.
- Integrity: The digital signature ensures that the plugin has not been modified or corrupted during transmission or storage.
- Compliance: The inclusion of an SBOM and transparency log helps users comply with regulatory requirements and identify potential security vulnerabilities.
- Trust: The plugin signing process helps build trust between CarphaCom and our users, giving them confidence in the software they rely on.
The plugin signing process is an essential part of our commitment to providing a secure and trustworthy platform. By signing every plugin tarball and providing a detailed SBOM and transparency log, we give our users the confidence they need to rely on our software.
Example of a signed plugin manifest:{ "name": "example-plugin", "version": "1.0", "hash": "sha256:examplehash", "signature": "example-signature", "sbom": [ { "name": "example-component", "version": "1.0" } ]}This example illustrates the level of detail and transparency we provide with every plugin.
The security of our plugins is of the utmost importance to us. We believe that our users have the right to know exactly what they are installing on their systems, and we are committed to providing them with the information they need to make informed decisions.
Bottom line
QubitPage Editorial
Editorial — QubitPage SRL