Profile Applicability:
Level 1
Description:
All artifacts uploaded to a package registry (such as npm, Maven, PyPI, or container registries) must have their digital signatures validated prior to acceptance. This validation confirms the authenticity and integrity of the artifacts, preventing the introduction of tampered or malicious packages into the software supply chain.
Rationale:
Validating signatures before uploading mitigates risks related to supply chain attacks and unauthorized modifications. It ensures only verified and trusted artifacts are published, protecting downstream consumers and maintaining the security of development and deployment pipelines.
Impact:
Pros:
Prevents untrusted or malicious artifacts from entering the package registry.
Enhances supply chain security and trustworthiness.
Supports compliance with organizational and regulatory security policies.
Facilitates early detection of compromised packages.
Cons:
Adds additional validation steps during the upload process.
Requires secure key management and signature verification infrastructure.
Default value:
By default, some package registries may not enforce signature validation on uploaded artifacts.
Audit:
Review package registry upload logs to verify signature validation steps. Inspect configuration of validation tools integrated with the package registry.
Remediation:
Implement and enforce signature validation policies during artifact upload. Integrate automated signature verification tools within CI/CD pipelines or package registry workflows. Educate developers and release engineers on signature requirements.
References:
npm Security Best Practices: https://docs.npmjs.com/security
Maven Repository Security: https://maven.apache.org/guides/mini/guide-signing-artifacts.html
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/