Profile Applicability:
Level 1
Description:
All metadata generated during the build process—such as build logs, configuration files, and artifact manifests—must be digitally signed by authorized build systems or personnel. This signed metadata should be verified before deployment or release to ensure its authenticity and integrity.
Rationale:
Requiring and verifying signed build metadata prevents tampering and unauthorized modifications during the software build lifecycle. It establishes trust in the build artifacts and supports traceability, compliance, and forensic investigations in case of incidents.
Impact:
Pros:
Enhances integrity and authenticity of build information.
Prevents malicious or accidental alteration of build data.
Supports compliance and audit requirements.
Facilitates reliable software supply chain security.
Cons:
Introduces additional steps in build and release workflows.
Requires management of signing keys and verification tools.
Default value:
Many build environments do not sign or verify build metadata by default, risking undetected tampering.
Audit:
Review build pipelines and artifact repositories for evidence of metadata signing and verification. Inspect key management and access control related to signing processes.
Remediation:
Integrate digital signing of build metadata into automated build pipelines. Implement verification steps before artifact deployment. Train build and release teams on key management and signing procedures.
References:
The Update Framework (TUF): https://theupdateframework.io/
Software Package Data Exchange (SPDX): https://spdx.dev/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/