Skip to content

Instantly share code, notes, and snippets.

@asraa
asraa / byo-tuf.go
Last active Apr 28, 2022
setup-tuf.go
View byo-tuf.go
package main
import (
"flag"
"fmt"
"io"
"os"
"path/filepath"
"github.com/theupdateframework/go-tuf"
@asraa
asraa / timestamp.md
Created Aug 3, 2021
It's ten o'clock, [do you know where your private keys are](https://en.m.wikipedia.org/wiki/Do_you_know_where_your_children_are%3F)?
View timestamp.md

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows

@asraa
asraa / timestamp.md
Created Jul 7, 2021
Timestamping Blog Post
View timestamp.md

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows

@asraa
asraa / timestamp.md
Last active Jul 7, 2021
Timestamping Blog Post
View timestamp.md

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows