Profile Applicability:
Level 1 and Level 2
Description:
Every software artifact produced as part of a release must be digitally signed to verify its authenticity and integrity. Signing all artifacts ensures that recipients can trust the source of the software and detect any tampering or unauthorized modifications prior to deployment or distribution.
Rationale:
Digital signatures protect the software supply chain by enabling verification of artifact provenance and integrity. This control helps prevent the introduction of malicious or corrupted components and supports compliance with security policies and regulatory requirements.
Impact:
Pros:
Confirms authenticity and integrity of release artifacts.
Detects tampering or unauthorized changes.
Enhances trust in software supply chain.
Supports audit and compliance efforts.
Cons:
Requires management of cryptographic keys and signing processes.
Adds steps to the release workflow.
Default value:
Some projects may not consistently sign all release artifacts, increasing risk exposure.
Audit:
Review release records and artifact repositories to verify presence of valid digital signatures on all artifacts. Inspect signing key management and access controls.
Remediation:
Integrate artifact signing into build and release pipelines. Establish secure key management practices. Train teams on signing procedures and compliance requirements.
References:
The Update Framework (TUF): https://theupdateframework.io/
OpenPGP Standard: https://www.ietf.org/rfc/rfc4880.txt
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/