Component versions can be signed to ensure integrity along a transport chain.
Signing requires a key pair, a signature, and, optionally, an issuer, as well as an algorithm and a
name for the signature.
A component version can have multiple signatures with different names. A normalization of the
component version is used for signing. See Signing Process and Normalization for more details.
Currently, only signing according to the
RSA PKCS #1 v1.5 signature algorithm is supported.
This creates two files. One named acme.priv for the private key and for convenience one named
acme.pub for the public key.
Use the sign componentversion command to sign a component version:
You can also sign a common transport archive before uploading to a component
repository:
What happened?
Digests will be created for all described artifacts and referenced component versions. Then for the
top-level component versions, the component-version digests are signed. The signature and digests are
stored in the component descriptor(s):
Beside the digests of the component descriptor layer, nothing has changed:
The public key from the last example cannot be validated. This can be changed by using a certificate
instead of a pure public key. The certificate is signed by a CA. This ensures the authenticity of the
described public key. Additionally, the common name of the certificate is validated against the issuer
attribute of the signature stored in the component descriptor.
The following example creates a CA and signing certificates that are used to sign a component version.
Create the root CA:
Create the CA that is used to create signing certificates:
Create signing certificates from the CA:
You can use additional attributes of the certificate like O, OU or C. See usage for details.
The certificate can be requested by any official certificate authority instead. It requires the usage types x509.KeyUsageDigitalSignature and x509.ExtKeyUsageCodeSigning.
For signing the component version you need to provide the issuer, then run:
Now the issuer will be stored along the signature and will be checked when verifying with the certificate
instead of the public key.
You can verify a signed component version. Therefore, a public key or a certificate provided by the
signer is required. If a certificate is provided, it is validated according to its certificate chain.
If an official CA is used instead, you need the certificate of the used root CA.
If you followed the previous examples, you can verify the signature of a component version as follows: