Skip to content

Instantly share code, notes, and snippets.

View asraa's full-sized avatar

asraa

44 followers · 22 following
View GitHub Profile
@asraa
asraa / byo-tuf.go
Last active January 3, 2023 17:14
setup-tuf.go
package main
import (
"encoding/json"
"flag"
"fmt"
"io"
"os"
"path/filepath"
"strings"
@asraa
asraa / timestamp.md
Created August 3, 2021 13:53
It's ten o'clock, [do you know where your private keys are](https://en.m.wikipedia.org/wiki/Do_you_know_where_your_children_are%3F)?

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows

@asraa
asraa / timestamp.md
Created July 7, 2021 13:00
Timestamping Blog Post

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows

@asraa
asraa / timestamp.md
Last active July 7, 2021 12:59
Timestamping Blog Post

It's ten o'clock, do you know where your private keys are?

Asra Ali, Appu Goundan

Short-lived certificates are great -- a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor! Using short-lived certificates (from Fulcio, for example) with trusted, publicly verifiable timestamps allows