zk-Sigstore: System for Anonymous Certificate-Based Software Signing

Merrill, Kelsey

Author(s)

Merrill, Kelsey

DownloadThesis PDF (6.348Mb)

Advisor

Sollins, Karen R.

Terms of use

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) Copyright retained by author(s) https://creativecommons.org/licenses/by-nc/4.0/

Metadata

Show full item record

Abstract

Most software developers get their software dependencies from online repositories, allowing for greater efficiency during the development process. However, downloading software from the internet comes with security concerns, and issues with open source software security have led to several high-profile attacks. In order to combat the problem, many repositories have implemented digital signatures for packages to verify the contributor’s identity, but with limited success due to well-documented usability issues surrounding key management. The digital signature primitive itself also does not provide an answer to which signers have the authority to sign which artifact. Proposals like Sigstore aimed at fixing the usability problems with digital signatures come with privacy concerns that have limited uptake, and though they provide some answers to the signing authority question, these come with scalability, verifiability, and privacy concerns. This thesis presents zk-Sigstore, a system for usable (certificate-based) and anonymous digital signatures for software. zk-Sigstore is a certificate-based signature system, but instead of publishing identities in the clear, identities are obfuscated with a cryptographic commitment. Techniques from key transparency verifiable key directories inform a scalable, verifiable, and private authorization record for mapping digital artifacts to the maintainers with the authority to sign them. Using zk-Sigstore for software signing, signing and verifying times are on the order of hundreds of microseconds even for the largest of software repositories, and deployment of zk-Sigstore requires minimal changes to existing infrastructure, making it a practical solution to this real-world problem.

Date issued

2023-06

URI

https://hdl.handle.net/1721.1/151609

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Collections

Graduate Theses