-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
66 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| {"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Introduction This is the documentation of Software Transparency as a Service-STaaS platform. You can use STaaS for free here . You can access the source code of STaaS platform at GitHub . Overview STaaS platform is a free, open-source platform for signing artifacts. Signatures are generated using an one-time signing key. The corresponding public key is included in a short-lived certificate. This certificate also includes the identity of the user in the STaaS platform. User authentication in STaaS platform is implemented using OpenID Connect. Signatures are recorded in a public, auditable registry. Technology stack Short-lived certificates are generated using a private instance of Fulcio CA . Signatures are recorded in the public instance of Rekor . STaaS generates a signature bundle that can be verified using Cosign .","title":"Introduction"},{"location":"#introduction","text":"This is the documentation of Software Transparency as a Service-STaaS platform. You can use STaaS for free here . You can access the source code of STaaS platform at GitHub .","title":"Introduction"},{"location":"#overview","text":"STaaS platform is a free, open-source platform for signing artifacts. Signatures are generated using an one-time signing key. The corresponding public key is included in a short-lived certificate. This certificate also includes the identity of the user in the STaaS platform. User authentication in STaaS platform is implemented using OpenID Connect. Signatures are recorded in a public, auditable registry.","title":"Overview"},{"location":"#technology-stack","text":"Short-lived certificates are generated using a private instance of Fulcio CA . Signatures are recorded in the public instance of Rekor . STaaS generates a signature bundle that can be verified using Cosign .","title":"Technology stack"},{"location":"01_web/","text":"Web UI STaaS can be accessed using a Web Ui","title":"Web UI"},{"location":"01_web/#web-ui","text":"STaaS can be accessed using a Web Ui","title":"Web UI"},{"location":"02_api/","text":"API STaaS provides an API that can be used for signing files Authorization Signing Listing","title":"API"},{"location":"02_api/#api","text":"STaaS provides an API that can be used for signing files","title":"API"},{"location":"02_api/#authorization","text":"","title":"Authorization"},{"location":"02_api/#signing","text":"","title":"Signing"},{"location":"02_api/#listing","text":"","title":"Listing"}]} | ||
| {"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Introduction This is the documentation of Software Transparency as a Service-STaaS platform. You can use STaaS for free here . You can access the source code of STaaS platform at GitHub . Overview STaaS platform is a free, open-source platform for signing artifacts. Signatures are generated using an one-time signing key. The corresponding public key is included in a short-lived certificate. This certificate also includes the identity of the user in the STaaS platform. User authentication in STaaS platform is implemented using OpenID Connect. Signatures are recorded in a public, auditable registry. Technology stack Short-lived certificates are generated using a private instance of Fulcio CA . Signatures are recorded in the public instance of Rekor . STaaS generates a signature bundle that can be verified using Cosign .","title":"Introduction"},{"location":"#introduction","text":"This is the documentation of Software Transparency as a Service-STaaS platform. You can use STaaS for free here . You can access the source code of STaaS platform at GitHub .","title":"Introduction"},{"location":"#overview","text":"STaaS platform is a free, open-source platform for signing artifacts. Signatures are generated using an one-time signing key. The corresponding public key is included in a short-lived certificate. This certificate also includes the identity of the user in the STaaS platform. User authentication in STaaS platform is implemented using OpenID Connect. Signatures are recorded in a public, auditable registry.","title":"Overview"},{"location":"#technology-stack","text":"Short-lived certificates are generated using a private instance of Fulcio CA . Signatures are recorded in the public instance of Rekor . STaaS generates a signature bundle that can be verified using Cosign .","title":"Technology stack"},{"location":"01_web/","text":"Web UI STaaS can be accessed using a Web UI Signing Artifact signature can be simply executed by following these steps: Press the Sign button Select a file to sign and optionally provide a comment In the background, the sign page calculates the digest of the selected file and submits it for signature. Signed files can be viewed by pressing the Activity button. From there, you can download the signature bundle and you can view information about the generated certificate, as well as, the record stored in the public registry. Signatures can be deleted from STaaS but they are not revoked. Verification Generated bundles can be verified using the Cosign tool . For this verification you would need STaaS's CA certificate. This can be obtained by clicking here . A signature bundle can be verified using the following command: cosign verify-blob \\ --certificate-identity=YOUR_STAAS_IDENTITY \\ --certificate-oidc-issuer=https://staas.excid.io \\ --certificate-chain ca.pem \\ --insecure-ignore-sct \\ --bundle signature.bundle \\ YOUR_FILE The --insecure-ignore-sct flag is required since certificated generated using a private instance of Fulcio are not allowed to be recorded in the transparency registry.","title":"Web UI"},{"location":"01_web/#web-ui","text":"STaaS can be accessed using a Web UI","title":"Web UI"},{"location":"01_web/#signing","text":"Artifact signature can be simply executed by following these steps: Press the Sign button Select a file to sign and optionally provide a comment In the background, the sign page calculates the digest of the selected file and submits it for signature. Signed files can be viewed by pressing the Activity button. From there, you can download the signature bundle and you can view information about the generated certificate, as well as, the record stored in the public registry. Signatures can be deleted from STaaS but they are not revoked.","title":"Signing"},{"location":"01_web/#verification","text":"Generated bundles can be verified using the Cosign tool . For this verification you would need STaaS's CA certificate. This can be obtained by clicking here . A signature bundle can be verified using the following command: cosign verify-blob \\ --certificate-identity=YOUR_STAAS_IDENTITY \\ --certificate-oidc-issuer=https://staas.excid.io \\ --certificate-chain ca.pem \\ --insecure-ignore-sct \\ --bundle signature.bundle \\ YOUR_FILE The --insecure-ignore-sct flag is required since certificated generated using a private instance of Fulcio are not allowed to be recorded in the transparency registry.","title":"Verification"},{"location":"02_api/","text":"API STaaS provides an API that can be used for signing files. Authorization In order to access STaaS API you need to obtain an authorization token. This can be obtained by pressing the API tokens button. The generated token should be included in all requests an Authorization header. Here is an example of a python script that uses an API token headers = { 'Authorization': 'Basic API_TOKEN' } response = requests.request(\"POST\", \"https://staas.excid.io/Api/Sign\", headers=headers) Signing STaaS API provides a Sign endpoint that expects a JSON object that includes the following attributes: HashBase64: Base64 encoding of a SHA-256 digest. Comment : A comment to be stored with the signature. This is an example of a python script that used the Sign API endpoint: with open(ARTIFACT_TO_SIGN,\"rb\") as f: bytes = f.read() # read entire file as bytes artifact_hash = hashlib.sha256(bytes).digest() headers = { 'Content-Type': 'application/json', 'Authorization': 'Basic API_TOKEN' } payload = f\"\"\" {{ \"HashBase64\":\"{base64.b64encode(artifact_hash).decode()}\", \"Comment\":\"{item}\" }} response = requests.request(\"POST\", url + \"Api/Sign\", headers=headers, data=payload) If the signing process is successful, the Sign endpoint responds with HTTP code 201 and the generated signature bundle.","title":"API"},{"location":"02_api/#api","text":"STaaS provides an API that can be used for signing files.","title":"API"},{"location":"02_api/#authorization","text":"In order to access STaaS API you need to obtain an authorization token. This can be obtained by pressing the API tokens button. The generated token should be included in all requests an Authorization header. Here is an example of a python script that uses an API token headers = { 'Authorization': 'Basic API_TOKEN' } response = requests.request(\"POST\", \"https://staas.excid.io/Api/Sign\", headers=headers)","title":"Authorization"},{"location":"02_api/#signing","text":"STaaS API provides a Sign endpoint that expects a JSON object that includes the following attributes: HashBase64: Base64 encoding of a SHA-256 digest. Comment : A comment to be stored with the signature. This is an example of a python script that used the Sign API endpoint: with open(ARTIFACT_TO_SIGN,\"rb\") as f: bytes = f.read() # read entire file as bytes artifact_hash = hashlib.sha256(bytes).digest() headers = { 'Content-Type': 'application/json', 'Authorization': 'Basic API_TOKEN' } payload = f\"\"\" {{ \"HashBase64\":\"{base64.b64encode(artifact_hash).decode()}\", \"Comment\":\"{item}\" }} response = requests.request(\"POST\", url + \"Api/Sign\", headers=headers, data=payload) If the signing process is successful, the Sign endpoint responds with HTTP code 201 and the generated signature bundle.","title":"Signing"}]} |