Federated identity for artifact signing
Definition
Federated identity for artifact signing refers to the use of a centralized identity provider to authenticate and authorize users or services across multiple domains or systems for the purpose of signing software artifacts. This approach enhances security by ensuring that only verified identities can sign artifacts, thereby maintaining the integrity and authenticity of the software supply chain. It leverages protocols like OAuth 2.0 or OpenID Connect to facilitate secure and seamless identity federation across different platforms.
Secure Settings Example
# Example configuration for federated identity in a CI/CD pipeline
artifactSigning:
enabled: true
identityProvider:
type: OpenIDConnect
issuer: https://accounts.example.com
clientId: my-ci-cd-client
clientSecret: secure-client-secret
signingKey:
useFederatedIdentity: true
keyId: federated-key-id
policies:
- name: require-authentication
action: sign
conditions:
- federatedIdentity: true
Insecure Settings Example
# Example of insecure artifact signing configuration
artifactSigning:
enabled: true
identityProvider:
type: OpenIDConnect
issuer: https://accounts.example.com
clientId: my-ci-cd-client
clientSecret: insecure-client-secret # Hardcoded secret
signingKey:
useFederatedIdentity: false # Not using federated identity
keyId: static-key-id
policies:
- name: allow-unauthenticated
action: sign
conditions:
- federatedIdentity: false # Allows unauthenticated signing