Sigstore centralization concerns

Soatok made an article saying that the best replacement of PGP for signing software is Sigstore, but Kicksecure made an article saying that Sigstore is one of the worst options for signing software due to potential issues with centralization and required trust in entities like Google and Microsoft. It’s well known that Kicksecure values software freedom more than security, but are these freedom concerns bad enough that they outweigh the security benefits?

You can apparently deploy Sigstore locally as well, does this solve the centralization problem?

Trust can be deferred, but trust must be given to someone. Some root authority is gonna have to evaluate claims. Let’s Encrypt, which the article praises, is centralized to the ISRG for encryption. If Sigstore goes well, we will likely have a similar OIDC provider.

The kicksecure article calls possible futures for Sigstore. I can’t evaluate is that is the trajectory, but I suspect there is some FUD in favor of keeping the status decentralized unsigned flow.

If that local deploy does everything and doesn’t need to talk to another authority, then yeah. Which it seems like it does.

I’m not even sure what freedom concerns kicksecure has. On reading Sigstore homepage, it’s FOSS, so I don’t even know what tf kicksecure is talking about now l. If kicksecure is worried, or the Linux community, can’t they deploy their own Sigstore instance or something?

No, the article does not from my reading.

Why?

The article is quite bad, typical of Kicksecure to have ideology over facts. The main argument is:

A developer would need to authenticate with an OpenID Connect (OIDC) provider such as Google or GitHub to verify ownership of their email address and possession of previously generated keys. This centralizes trust and makes it trivial for these corporations to censor code they find disagreeable, as they act as self-appointed gatekeepers of verification.

But this argument can only be made if you don’t understand how sigstore works, how OIDC works, and why industry (including FOSS benefactors like Google, Red Hat, etc.) agree on it. Why would any corporation agree to limit themselves to Microsoft and Google? The author of the article will benefit from reading this:

Specifically, this:

If you want to add your own, here’s how!

  • Pick a domain!
  • Setup a SPIFFE/SPIRE endpoint on that domain, and expose the OIDC endpoint
  • Send a four-line PR to the Fulcio repo, adding your domain!
  • That’s all!

If you already have a SPIFFE endpoint setup, then you can skip those first two steps. You now have a fully keyless trust root that can issue identity tokens using any scheme you want, as long as they’re for your domain. All of those tokens can then be used to retrieve short-lived code signing certificates from Sigstore, and those certificates will be automatically trusted by all Sigstore clients.


Use sigstore when you can, use minisign otherwise. Do not use PGP, do not use some other less tested tool. Convergence on some tools is nice for interoperability, not everything needs 15000 different options for preserving user freedom if the original tool is designed well.

Any sufficiently large system will have some nodes that require trust, either by design (PGP webs of trust), by the virtue of their power in the system (larger cryptocurrency exchanges), or due to the adoption of their model of the system by the masses (web standards and email, supposedly decentralized, dominated by chrome and gmail).

Trustless world is impossible, zero trust is a facade used to sell commercial contracts to compliance-afraid companies.

Off topic

Always funny to see kicksecure’s “War on General Purpose Computing” come up. It is such a paranoid write up, and full of contradictions. The article always bats for the users right to run software they want on the devices they buy, yet always forgets to talk about software developers and manufacturers right to deny their software and hardware to people who do not respect their freedom to develop the software they wish to. Kicksecure’s argument can be used to justify stealing from authors by hiding behind “muh freedumb”.

Good.

1 Like

Important to note that this is from Kicksecure’s wiki which anyone can edit AFAIK

1 Like

Perhaps praising isn’t the word, but it’s definitely implies it’s not bad.

I mean, when I run apt upgrade I’m gonna trust the repositories and downloaded binaries aren’t malware. I’m trusting Debians mirrors of repositories. I cross my fingers and hope it all works.

Do note that they say that they value software freedom and security, but saying that does not mean their positions actually align with those goals.

They host it, and have made no attempt to correct it. Wikipedia has controls for its entries, I am sure Kicksecure can afford to have some controls of its own.

Here’s another comment about Sigstore’s centralization:

These goals are fundamentally at odds with each other. Sigstore isn’t magic, it can’t just verify integrity out of nowhere. It’s an escrow service. You depend on individual login actions, and then have the escrow service verify that you are you and then the escrow service uses its own private key to attest to something.

It’s by definition centralized. The fact that you can centralize it in more than one root private key doesn’t change the fact that an escrow service is centralized around an escrow service.