CredentialLog, A Transparency Log to Store the Signed Credentials of Artefacts

Abstract

This project offers a novel strategy to support software supply chain security systems in response to the growing concerns about software supply chain security. The main novelty is the use of a transparent log based on Merkle trees that is intended just to store credentials for artefact signatures. The transparent log promotes transparency and accountability in the credential management process by acting as an auditable, publicly accessible record. In addition to meeting the demand for more security, this transparency makes it easier for end users to verify information. The project seeks to strengthen user confidence in the software supply chain by making it simple for users to track and confirm the authenticity and provenance of software artefacts via the transparent log. The system's capabilities are further enhanced by the emphasis on artefact signature credentials. This involves recording distinct characteristics and cryptographic signatures linked to every artefact, providing a more detailed and customised method for managing credentials. Due to users' ability to rapidly determine the authenticity of individual artefacts, this specificity improves security while simultaneously streamlining the verification process. Effective and safe data verification is ensured by the transparent log's structure, which makes use of Merkle trees. Merkle trees' hierarchical structure makes it possible to quickly identify any credential tampering or irregularities. This cryptographic foundation enhances the system's efficiency and scalability while simultaneously bolstering its integrity. This project aims to promote broader use of Software Supply Chain Security Systems by developing an intuitive and safe approach that combines the efficiency of Merkle trees, specificity of artefact signature credentials, and transparency of logs. The ultimate goal is to simplify the verification process for end users and offer a strong defence against potential security risks throughout the software development lifecycle. This will help to build confidence and trust in the larger software supply chain ecosystem.