Profile Applicability:
Level 1
Description:
Every version of a software artifact—such as binaries, libraries, packages, or container images—must have its digital signature verified before deployment or integration. Signature validation confirms the authenticity and integrity of artifacts, ensuring they have not been tampered with or replaced by malicious versions.
Rationale:
Validating signatures for all artifact versions protects against supply chain attacks, unauthorized modifications, and the use of compromised components. It strengthens trust in software delivery pipelines and supports compliance with security and audit requirements.
Impact:
Pros:
Ensures artifact authenticity and integrity.
Prevents deployment of malicious or tampered software.
Supports secure software supply chain practices.
Facilitates compliance with security standards and regulations.
Cons:
Requires management of signing keys and validation processes.
May add complexity to build and deployment workflows.
Default value:
By default, some environments may only validate signatures for the latest artifact version or not at all.
Audit:
Review deployment and integration logs to confirm signature validation occurred for all artifact versions. Inspect configuration of tools responsible for signature verification.
Remediation:
Implement policies and automation to enforce signature validation on every artifact version before acceptance. Maintain secure key management and rotation practices. Train teams on signature validation importance and procedures.
References:
The Update Framework (TUF): https://theupdateframework.io/
OpenPGP Standard: https://www.ietf.org/rfc/rfc4880.txt
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/