Overview of package signature

Stay organized with collections Save and categorize content based on your preferences.

This page explains how you can download the signatures for Assured Open Source Software packages. Each Assured OSS package is signed using a separate Google-issued certificate which uses ECDSA P256 algorithm for key generation. These certificates are issued using Google Certificate Authority and the corresponding public root certificate can be found here.

About package signatures

Package signatures are stored in a zip file in the Cloud Storage bucket. The zip file contains the following four files:

  • digest.txt - This file stores the hashing algorithm along with the package digest in a hex encoded format. For example:

    SHA-256:c5feab6f4de0878e94cf2a3074039b4f16a0c93a03501f047ee6eea29a8e33e0
    
  • signature.txt - This file stores the signature algorithm along with the hex encoded signature. For example:

    ECDSAP256_DER:30450220585d2a01f20de98dfe6cfab2c01a8f11787dbafbc6541304d23cc582e61be016022100f05a19f5ce473144579dfefc47905fd650584a1c7a31bd9d5bf93ecce739a7cb
    
  • cert.pem - This file stores the public certificate.

  • certChain.pem - This file stores the certificate chain for the public certificate.

The URL of the zip file is available in the security metadata of each package as shown in the following example.

package {
  distribution {
    cpe_uri: "cpe:2.3:a:JAVA::com.fasterxml.jackson.core:jackson-databind:2.13.3:*:*:*:*:*:*:*"
    maintainer: "<nil>"
    url: "https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.jar"
    description: "{\n  \"artifactMetadataList\": [\n    {\n      \"digestUrl\": \"gs://cloud-aoss/java/com.fasterxml.jackson.core:jackson-databind/2.13.3/jackson-databind-2.13.3_binary_2022-10-12T06:54:05Z.zip\"\n    }\n  ]\n}"
  }
  distribution {
    cpe_uri: "cpe:2.3:a:JAVA::com.fasterxml.jackson.core:jackson-databind:2.13.3:*:*:*:*:*:*:*"
    url: "https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3-sources.jar"
    description: "{\n  \"digestUrl\": \"gs://cloud-aoss/java/com.fasterxml.jackson.core:jackson-databind/2.13.3/jackson-databind-2.13.3-sources_source_2022-10-12T06:54:05Z.zip\"\n}"
  }
}

Download package signatures

Download the zip file from the Cloud Storage bucket using the gsutil command line tool. To do this:

  1. Authenticate with the service account to access the Cloud Storage bucket using the following command:

    gcloud auth activate-service-account --key-file KEY_FILE
    

    Where KEY_FILE is the path to the file containing the service account credentials.

  2. Download the zip file containing the signature to your machine using the following command:

    gsutil cp -r SIGNATURE_ZIP_URL PATH_TO_LOCAL_STORE
    

    Where SIGNATURE_ZIP_URL is the URL of the zip file obtained from the security metadata of the package and PATH_TO_LOCAL_STORE is the path to the local directory where you want to download the file.

Learn more

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next?