Speranza: Usable, privacy-friendly software signing
share
Software repositories, used for wide-scale open software distribution, are a significant vector for security attacks. Much of this malicious behavior can be traced to a lack of strong authentication for software. To mitigate this problem, digital signatures provide confidence in the authenticity and authorization for signers of the software, but introduce privacy problems by exposing maintainers' personally identifiable information. The contribution of this project, Speranza, is to allow for verification of authenticity for software packages in a repository while providing anonymity to signers through the use of zero-knowledge identity co-commitments. In Speranza, a signer uses an automated certificate authority (CA) to create a private identity-backed signature and proof of authorization. Verifiers check that a signer was authorized to publish a package, without learning the signer's identity. The package repository keeps a private mapping from package names to the identities of authorized signers, but publishes only commitments to identities in a public map. When issuing certificates, the CA issues the certificate to a distinct commitment to the same identity. The signer then creates a zero-knowledge proof of a commitment that these are identity co-commitments. We implemented a proof-of-concept, finding that costs to maintainers (signing) and end users (verifying) are small, even for a repository with millions of packages: 404 us and 372 us, respectively. End users must learn the authorization policy in order to verify packages. In a naive approach, they must download the policy for every package in advance (possibly 100 MiB total, or more); we use techniques inspired by recent key transparency systems to reduce this to 2 KiB. Server costs in this system are negligible. Our evaluation finds that Speranza is practical on the scale of the largest software repositories.
READ FULL TEXT