software-supply-chain-security

this repository demonstrates software supply chain security practices using sigstore for artifact signing and verification.
it includes steps to create, sign, and verify software artifacts, along with verifying their inclusion in a merkle tree transparency log.

the workflow implemented here helps ensure:

integrity of published artifacts
provenance tracking of software releases
prevention of supply chain attacks

repository structure

file / folder	description
`artifact.md`	initial sample artifact file to sign
`artifact.bundle`	signed bundle generated by sigstore for `artifact.md`
`artifact_2.md`	second sample artifact
`artifact_2.bundle`	signed bundle for `artifact_2.md`
`main.py`	core verification script (inclusion & consistency checks)
`merkle_proof.py`	utilities for working with merkle tree proofs
`util.py`	helper functions used across scripts
`demo.png`	visual demo of signing and verification steps
`__pycache__/`	compiled python cache files
`.gitignore`	ignored files for git

demo workflow

the overall process is divided into three steps:

step 1: create & sign artifact

generate an artifact and sign it with sigstore:

echo "hello world!" > artifact_2.md
python -m sigstore sign --bundle artifact_2.bundle artifact_2.md

this generates:

the signed bundle artifact_2.bundle
transparency log entry metadata (e.g., logIndex, logID)

step 2: get merkle tree & artifact info

extract important fields from the bundle:

cat artifact_2.bundle | jq '.' | tail -n 5

example output:

"logIndex": 482833136,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"

check the current checkpoint of the merkle tree:

python3 main.py -c

step 3: verify artifact

a) verify signature & inclusion

python main.py --inclusion 482833136 --artifact artifact_2.md

output will confirm:

signature validity
offline root hash calculation
inclusion proof verification

b) verify tree consistency

python3 main.py --consistency \
  --tree-id 1193050959916656506 \
  --tree-size 360933865 \
  --root-hash 141a3c752daec75b527dd79101d859a33c38d94b4721e54328a9427a5a50c271

demo screenshot

prerequisites

python 3.8+
sigstore cli tool
jq for json parsing
pip install -r requirements.txt (if present)

use case

this setup is ideal for:

securing ci/cd pipelines
ensuring integrity of open-source releases
validating provenance of dependencies

author

aaditya rengarajan <ar9668> assignment for software supply chain security

[to-do]

[] review test-cases written with ai-assistance

Name		Name	Last commit message	Last commit date
Latest commit History 60 Commits
.github/workflows		.github/workflows
sscs_assignment		sscs_assignment
.gitignore		.gitignore
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
cosign-commands.sh		cosign-commands.sh
cosign.pub		cosign.pub
cyclonedx-sbom.json		cyclonedx-sbom.json
demo.png		demo.png
poetry.lock		poetry.lock
pyproject.toml		pyproject.toml
requirements.txt		requirements.txt
sscs_assignment.attestation.bundle		sscs_assignment.attestation.bundle

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

software-supply-chain-security

repository structure

demo workflow

step 1: create & sign artifact

step 2: get merkle tree & artifact info

step 3: verify artifact

a) verify signature & inclusion

b) verify tree consistency

demo screenshot

prerequisites

use case

author

[to-do]

About

Uh oh!

Releases 2

Packages

Languages

License

rogue0xbyte/assignment-1-sscs

Folders and files

Latest commit

History

Repository files navigation

software-supply-chain-security

repository structure

demo workflow

step 1: create & sign artifact

step 2: get merkle tree & artifact info

step 3: verify artifact

a) verify signature & inclusion

b) verify tree consistency

demo screenshot

prerequisites

use case

author

[to-do]

About

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 2

Packages 0

Languages

Packages