Skip to main content

Provenance

Ensuring the authenticity and integrity of packages is critical to the software supply chain. Source of origin verification and build provenance play key roles in this context, providing a robust framework to validate the origins of packages and the integrity of the build process.

What is source of origin verification and build provenance?

Source of origin verification is a practice that enhances the level of confidence in the authenticity of a package, ensuring that it originates from a specific code source repository, along with other claimed metadata. This practice is crucial for several reasons:

  • It ensures authenticity and legitimacy. A verified source of origin provides additional guarantees around the legitimacy of a package, ensuring that it is genuine and has not been tampered with. In the current landscape, some package managers cannot verify that the metadata published alongside a package is accurate and truthful. This verification gap can lead to security vulnerabilities and misinformation.

  • Without source of origin verification, package managers are susceptible to attacks such as starjacking, where attackers claim to be associated with a popular repo to deceive users. Additionally, it becomes easier for attackers to perform typosquatting attacks, where a malicious package is created with a name similar to a popular package in an attempt to trick users into downloading it. A verified source of origin helps prevent these attacks by ensuring that the package's claimed origin and popularity metrics are authentic.

  • It establishes a foundation for build provenance. Source of origin verification is a foundational step in establishing build provenance, which ensures that the compiled source code results in a package with integrity. Build provenance goes beyond verifying the source of the code, ensuring that the entire build process, from code compilation to package distribution, is secure and verifiable.

How Trusty determines source of origin and build provenance

Trusty reports source of origin and build provenance information for open source packages using one of several techniques:

  1. Sigstore provenance Sigstore is an open source project that makes it easier for developers to cryptographically sign and verify artifacts. When packages have been built and signed with Sigstore using GitHub Actions, Trusty displays a badge indicating a verifiable chain of trust back to the source code.

    • Currently, npm is the only package registry that supports publishing Sigstore provenance statements with packages.
  2. Go checksum database All public Go modules have cryptographic signatures in the Go checksum database to establish provenance. Trusty reports this provenance information as provided in the public module index.

  3. Historical provenance For packages that have not been signed with Sigstore, Trusty can establish a link from a published package to its source repository by mapping Git tags and releases to published versions of the package. This is called "historical provenance."