P.1.2 Software release integrity

Control Details

Objective

Provide software acquirers assurance that the software they acquire is legitimate and has not been tampered with.

Definition

Use code protection mechanisms, such as the use of an established certificate authority for code signing, to enable the attestation of the provenance, integrity, and authorization of important code and AI models. Make software integrity verification information, such as cryptographic hashes for release files, available to software acquirers on a well-secured website.

Assessment Questions

1. What software integrity artifacts do you make available to software acquirers, such as cryptographic hashes of release files?
2. What certificate authority do you use for code/commit signing?
3. How often do you review code signing processes, such as certificate renewal and key rotation?
4. How do you manage and protect your signing server, for example is it dedicated?

Reference sources

1. EO 4e(iii)
2. SSDF PS.2.1
3. SSDF-AI PS.2.1
4. SLSA Distributing provenance Source L3: Signed and auditable provenance
5. BSIMM SE2.4
6. OWASP-SCVS 4.12 6
7. OSSF-Scorecard signed-release licenses
8. CNCF-SSC A-V Validate the Signatures Generated at Each Step A-A Use TUF to manage signing of artifacts
9. S2C2F REB-2
10. SAMM I-SD-3-A
11. OSPS OSPS-BR-06 OSPS-DO-03