opentelemetry-dotnet icon indicating copy to clipboard operation
opentelemetry-dotnet copied to clipboard
verified publisher icon open-telemetry

[feature request] Signing OpenTelemetry .NET DLLs Using Sigstore certificate

Open ThomsonTan opened this issue 1 year ago • 0 comments

Package

OpenTelemetry

Is your feature request related to a problem?

Yes, the feature request addresses a significant security concern related to the software supply chain. Currently, the OpenTelemetry .NET DLLs are not digitally signed, which exposes users to potential supply chain attacks. Malicious actors could tamper with the DLLs or distribute compromised versions without detection. This lack of code signing undermines the integrity and trustworthiness of the binaries distributed to the public.

What is the expected behavior?

The expected behavior is that the OpenTelemetry .NET DLLs we release to nuget.org are digitally signed using sigstore certificate, with the digital signature file (*.sig) included in the NuGet packages published to nuget.org.

This means:

  • Digital signing Signing in CI release Pipeline:

    • The CI pipeline integrates Sigstore's signing tools (e.g., Cosign) to automatically sign the DLLs after they are built. Utilizes keyless signing with ephemeral keys bound to the CI's OpenID Connect (OIDC) identity, eliminating the need for long-lived private keys.

  • Verification Capability:

    • Users and downstream consumers can verify the digital signatures of the DLLs using Sigstore's verification tools. The signatures are recorded in a public transparency log, ensuring transparency and traceability.

  • Enhanced Security and Trust:

    • The signed DLLs provide cryptographic assurance of their integrity and authenticity.
    • Mitigates the risk of supply chain attacks by enabling users to detect any tampering or unauthorized modifications.

BTW: the OpenTelemetry-collector-release has already integrated with sigstore/cosign. See https://github.com/open-telemetry/opentelemetry-collector-releases/pull/207 and the .sig file in the releases.

Which alternative solutions or features have you considered?

There is a related issue https://github.com/open-telemetry/opentelemetry-dotnet/issues/1302 about digital signing and the tool Get-AuthenticodeSignature was mentioned which seems asking for traditional Code Signing Certificates.

But it requires code signing certificates from commercial Certificate Authorities (CAs) like DigiCert or GlobalSign, which seems unavailable to OpenTelemetry community.

Meanwhile the signtore certificate is available to open source and has already been integrated to opentelemetry-collector releases. The signatures are published as .sig files in each release at https://github.com/open-telemetry/opentelemetry-collector-releases/releases.

Additional context

No response

ThomsonTan avatar Oct 02 '24 19:10 ThomsonTan