Implimentation Proposal for Witness and Archivista
The software supply chain faces numerous attack risks, making it crucial to establish a secure and trustworthy system for managing software metadata. A key component is the authoritative policy for a software repository, specifying rules based on attestation metadata.
Distributing and trusting the policy poses challenges. It must maintain integrity and confidentiality and be trusted by all parties in the supply chain. The proposed solution uses TestifySec Witness policies and integrates Archivista as the API for the TUF repository. Witness policies enable trustworthiness of software artifacts, while Archivista manages in-toto attestations.
The system includes four components: Target Client, Target Service, Snapshot Service, and Timestamp Service, with Archivista handling attestations. Archivista stores attestations in an object store, with some data in a queryable metadata store, accessible through a GraphQL API. This allows for querying relationships between attestations.
By employing a TUF repository, Witness policies, and Archivista, this solution offers robust security and a reliable system for managing software metadata, ensuring secure distribution and trust in the software supply chain.
Target Client Create Policy Overview