Signing CPAN Releases with SigStore

By Timothy Legge on

Signing CPAN Releases with SigStore

At the most recent Perl Tool Chain Summit (PTS) in Vienna we decided to deprecate Module::Signature. Module::Signature has been around for a long time but it has become increasingly clear that it does not provide the security assurances that it was designed to deliver.

Dist::Zilla::Plugin::SigStore::SignRelease is a new plugin that signs your CPAN release with SigStore before uploading. SigStore uses short-lived, OIDC-issued certificates. You authenticate with Google, GitHub, or Microsoft, and cosign produces a signature bundle. No long-lived keys, no keyserver dance.

How it works

The plugin extends the Dist::Zilla plugin UploadToCPAN. During the dzil release, it:

  1. Calls cosign sign-blob on your release archive, producing a .sigstore.json bundle file.
  2. Pulls the certificate out of the bundle and verifies the signature locally before anything leaves your machine.
  3. Uploads both the tarball and the bundle to PAUSE.

SigStore also add the release and signature information to the Rekor Transparency Log. Rekor is SigStore's public append-only transparency log, and the inclusion proof is bundled into the .sigstore.json. Anyone verifying your release can confirm the signing event was publicly logged at the time it happened.

Using it

Remove the existing uploader from your Dist::Zilla configuration file (dist.ini) and add the plugin to your dist.ini:

[@Filter]
bundle = @Basic
remove = UploadToCPAN ; Do this if you use @Basic

[SigStore::SignRelease]

Non-CPAN Requirements

You'll need cosign in your PATH.

Next Steps

PAUSE doesn't verify SigStore signatures yet, and no CPAN client checks them on install.

This is opt-in transparency: the bundle ships alongside the tarball, and anyone who cares can verify it themselves.

Hopefully more support for SigStore will be developed soon. Until then signing your releases will allow them to be verified:

cosign verify-blob Your-Dist-0.01.tar.gz \
--bundle Your-Dist-0.01.tar.gz.sigstore.json \
--certificate-identity you@example.com \
--certificate-oidc-issuer https://accounts.google.com

It's a first step, towards verifiable releases in the Perl ecosystem. Try it on your next release and let me know how it goes.

Tagged as:

, , ,

Leave a comment

About Timothy Legge

user-pic FOSS developer who has been scratching various itches for many years.

More info »