sigstore-java, currently under development but not yet ready for general-purpose use,  is a tool for signing and verifying Java package distributions with Sigstore's keyless signing. This is one more step being taken Sigstore towards securing the software supply chain.

Sigstore signing empowers software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.

As a refresher, the Sigstore ecosystem consists of:

• Cosign
  For container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.
• Rekor
  A built in transparency and timestamping service, Rekor records signed metadata to a ledger that can be searched, but can’t be tampered with.
• OpenID Connect
  An identity layer that checks if you're who you say you are. It lets clients request and receive information about authenticated sessions and users.
• Fulcio
  A free root certification authority, issuing temporary certificates to an authorized identity and publishing them in the Rekor transparency log.
• Certificate Authority
  A mechanism that generates certificates, binding cryptographic keys to an identity and an independent check over an artifact's information.
• Trust root
  The foundation for trust behind the whole of sigstore, our keyholders and ways of working to protect the root keys.

The sigstore-java client library under development, will provide a native Java implementation for the signing and verification services.
The intuition is that great the OSSRH, aka Maven Central, is planing to replace its aging PGP based system for signing Java distributions with that of Sigstore's. The old way, although working, had its own issues mainly :

Like other registries, the value of these signatures is not truly realized due to shortcomings in public key infrastructure, developer tooling, and no extant chain of trust for developers.

Sigstore is designed to solve these problems with elegance and runtime properties that are especially appealing in common Java development and CI environments.

The migration process from PGP to Sigstore has been broken down into distinct steps :

• Stage 0 - Maven Central historically has required a PGP signature for all uploaded artifacts.
  That requirement is being dropped for Sigstore signature artifacts.
• Stage 1 — Include Sigstore signature verification in Maven Central repository pre-release checks.The supported workflows will be: 
     artifact set + PGP signature + Sigstore signature
     artifact set + PGP signature
     artifact set + Sigstore signature
  In all workflows, all provided cryptographic signatures will be verified.
• Stage 2 & Beyond — Verification

To make it easier to sign and publish to Maven central, the signing activity is going to be incorporated into Java's build tools
Maven and Gradle. The intent will be for Gradle versions 7. 3 or higher to support Sigstore signing, while verification will require version 8. 2+.

As for Maven there's already the Maven Sigstore plugin that supports generating and publishing Sigstore signatures to Central. The work done on its repository will eventually collapse into the Sigstore Java project.

Of course, we are talking about signing the end result, the build. But what about starting from the bottom all the chain up to the build? Sigstore has an answer to that too with GitSign. As examined in "Protect The Software Supply Chain With Gitsign":

Since everybody is on Git, what better way of starting with signing the initial artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries, there was nothing for signing git commits. This is about to change with Gitsign, which allows you to sign your commits in a keyless fashion by using your GitHub / OIDC identity.

Not only does this relieve you of the burden of managing the keys yourself, it also deal with the issue of those keys many times ending up being written inside the source of the repo itself, in effect canceling out the signing process.

So now when signing commits as usual with git commit -S your browser will now redirect through the Sigstore's Keyless flow to authenticate and sign the commit. I say as 'usual' since GitHub was already offering signing commits with SSH keys and x509 certificates bearing the cost of the keys' management. Gitsign now removes this need.

Of course there's much more to be done in securing the supply chain and the latest ChainGuard "SLSA++ A Survey of Software Supply Chain Security" takes an in-depth look at how the industry is adopting the best practices. For extended commentary make sure to check "Surveying Software Supply Chain Security".

More Information

sigstore-java

Maven Sigstore

Related Articles

Surveying Software Supply Chain Security

Protect The Software Supply Chain With Gitsign

Does Sigstore Really Secure The Supply Chain?

Sigstore Reaches General Availability