Software Supply Chain Security Assignmen
Project description
software-supply-chain-security
this repository demonstrates software supply chain security practices using sigstore for artifact signing and verification.
it includes steps to create, sign, and verify software artifacts, along with verifying their inclusion in a merkle tree transparency log.
the workflow implemented here helps ensure:
- integrity of published artifacts
- provenance tracking of software releases
- prevention of supply chain attacks
repository structure
| file / folder | description |
|---|---|
artifact.md |
initial sample artifact file to sign |
artifact.bundle |
signed bundle generated by sigstore for artifact.md |
artifact_2.md |
second sample artifact |
artifact_2.bundle |
signed bundle for artifact_2.md |
main.py |
core verification script (inclusion & consistency checks) |
merkle_proof.py |
utilities for working with merkle tree proofs |
util.py |
helper functions used across scripts |
demo.png |
visual demo of signing and verification steps |
__pycache__/ |
compiled python cache files |
.gitignore |
ignored files for git |
demo workflow
the overall process is divided into three steps:
step 1: create & sign artifact
generate an artifact and sign it with sigstore:
echo "hello world!" > artifact_2.md
python -m sigstore sign --bundle artifact_2.bundle artifact_2.md
this generates:
- the signed bundle
artifact_2.bundle - transparency log entry metadata (e.g.,
logIndex,logID)
step 2: get merkle tree & artifact info
extract important fields from the bundle:
cat artifact_2.bundle | jq '.' | tail -n 5
example output:
"logIndex": 482833136,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
check the current checkpoint of the merkle tree:
python3 main.py -c
step 3: verify artifact
a) verify signature & inclusion
python main.py --inclusion 482833136 --artifact artifact_2.md
output will confirm:
- signature validity
- offline root hash calculation
- inclusion proof verification
b) verify tree consistency
python3 main.py --consistency \
--tree-id 1193050959916656506 \
--tree-size 360933865 \
--root-hash 141a3c752daec75b527dd79101d859a33c38d94b4721e54328a9427a5a50c271
demo screenshot
prerequisites
- python 3.8+
sigstorecli tooljqfor json parsingpip install -r requirements.txt(if present)
use case
this setup is ideal for:
- securing ci/cd pipelines
- ensuring integrity of open-source releases
- validating provenance of dependencies
author
aaditya rengarajan <ar9668>
assignment for software supply chain security
[to-do]
[] review test-cases written with ai-assistance
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sscs_assignment-0.1.0.tar.gz.
File metadata
- Download URL: sscs_assignment-0.1.0.tar.gz
- Upload date:
- Size: 153.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.12.3 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e6fa11d8e13e7bf445620e09780f790d00988e7e6f4cf4e08aa320498ee86e42
|
|
| MD5 |
7c4f9e38d4b23cc9dca76886ddedc73e
|
|
| BLAKE2b-256 |
9a3bca9fbd5f4897c4e39d7a97c7b3321be25e0735743498e32cd29690253150
|
File details
Details for the file sscs_assignment-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sscs_assignment-0.1.0-py3-none-any.whl
- Upload date:
- Size: 162.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.12.3 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f01292860db603d15ecc7f896f9308d69d2f690e79e02d6b00ff7524279031ff
|
|
| MD5 |
ba2613572afcd3ade5043c8645fdcdc7
|
|
| BLAKE2b-256 |
c3edcd3e39330309b0a6106b685465fcb9054cd6cd998ed77952d537a6ae7502
|
