Profile Applicability:
Level 2
Description:
All software artifacts produced by the build pipeline must be digitally signed automatically as part of the build process. This ensures the authenticity and integrity of artifacts by cryptographically verifying that they originate from a trusted source and have not been tampered with.
Rationale:
Automating artifact signing within the build pipeline eliminates reliance on manual processes, reducing human error and delays. It enforces trust in the software supply chain, supports non-repudiation, and facilitates verification during deployment and distribution.
Impact:
Pros:
Enhances artifact authenticity and integrity.
Reduces risks of tampering or unauthorized modifications.
Enables traceability and accountability of builds.
Streamlines the signing process and enforces consistency.
Cons:
Requires integration and management of signing keys in the pipeline.
Increases build complexity and may require additional tooling.
Default value:
In some environments, artifact signing may be manual or omitted entirely, risking trust and integrity.
Audit:
Review build pipeline configurations to confirm artifact signing steps. Verify signing logs and cryptographic signatures of produced artifacts.
Remediation:
Integrate automated signing tools within the build pipeline. Securely manage signing keys and enforce access controls. Train build and release engineers on signing procedures.
References:
The Update Framework (TUF): https://theupdateframework.io/
GitHub Actions - Code Signing: https://docs.github.com/en/actions/security-guides/code-signing
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/