Search

EP-4740125-A1 - END TO END ARTIFACT TRUST IN CLOUD ENVIRONMENTS

EP4740125A1EP 4740125 A1EP4740125 A1EP 4740125A1EP-4740125-A1

Abstract

Techniques are described for providing end-to-end content trust for artifact types managed by a service provider, regardless of where or how the artifacts are deployed or applied in a target environment. The described trust mechanism is agnostic to the specific type of artifact and where the artifact is being applied from within a cloud environment.

Inventors

  • WEISSERTH, Tobias D.F.
  • CHEN, QIMING
  • HIRANI, SOHAIL A.

Assignees

  • Microsoft Technology Licensing, LLC

Dates

Publication Date
20260513
Application Date
20240701

Claims (20)

  1. 1. A method for managing trusted content in a computing network (100) operated by a computing service provider, the method comprising: receiving, by the computing service provider from a publisher (101), an artifact (102) that is usable for deployments in the computing network; receiving, by the computing service provider from the publisher, a signature (632B) for the artifact, wherein the signature is based on a signing certificate (202) obtained from a certificate authority (203); verifying (622), by the computing service provider, the signature; in response to verifying the signature, re-signing (623), by the computing service provider, the artifact with a certificate (604) generated and managed by the computing service provider; and using the re-signed artifact (636) as a source of trust for the artifact for distribution and lifecycle of the artifact for the deployments in the computing network.
  2. 2. The method of claim 1, wherein the method is agnostic to a type of the artifact.
  3. 3. The method of claim 2, wherein the artifact is one of a container image, Helm package, Helm chart, configuration schema, templates, or virtual machine images.
  4. 4. The method of claim 1. further comprising providing immutability and versioning for the artifact.
  5. 5. The method of claim 1, further comprising revoking the artifact as atrusted artifact.
  6. 6. The method of claim 1 , further comprising storing a plurality of re-signed artifacts in an artifact store.
  7. 7. The method of claim 1, wherein the verifying of the signature is based on a trust policy.
  8. 8. A computing device comprising: a memory storing thereon instructions that when executed by a processing system of the computing device, cause the computing device to perform operations comprising: receiving, from a publisher (101), an artifact (102) that is usable for deployments in a computing network (100); receiving, from the publisher, a signature (632B) for the artifact, wherein the signature is based on a signing certificate (202) obtained from a certificate authority (203); verifying (622) the signature; in response to verifying the signature, re-signing (623) the artifact with a certificate (604) generated and managed by a service provider; and using the re-signed artifact (636) as a source of trust for the artifact for distribution and lifecycle of the artifact for the deployments in the computing network.
  9. 9. The computing device of claim 8, wherein the operations are agnostic to a type of the artifact.
  10. 10. The computing device of claim 9, wherein the artifact is one of a container image, Helm package, Helm chart, configuration schema, templates, or virtual machine images.
  11. 11. The computing device of claim 8. further comprising instructions that when executed by a processing system of the computing device, cause the computing device to perform operations comprising providing immutability and versioning for the artifact.
  12. 12. The computing device of claim 8, further comprising instructions that when executed by a processing system of the computing device, cause the computing device to perform operations comprising revoking the artifact as a trusted artifact.
  13. 13. The computing device of claim 8, further comprising instructions that when executed by a processing system of the computing device, cause the computing device to perform operations comprising storing a plurality of re-signed artifacts in an artifact store.
  14. 14. The computing device of claim 8, wherein the verifying of the signature is based on a trust policy.
  15. 15. A computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by one or more processors of a system, cause the system to perform operations comprising: receiving, from a publisher (101), an artifact (102) that is usable for deployments in a computing network (100); receiving, from the publisher, a signature (632B) for the artifact, wherein the signature is based on a signing certificate (202) obtained from a certificate authority (203); verifying (622) the signature; in response to verifying the signature, re-signing (623) the artifact with a certificate (604) generated and managed by a service provider; and using the re-signed artifact (636) as a source of trust for the artifact for distribution and lifecycle of the artifact for the deployments in the computing network.
  16. 16. The computer-readable storage medium of claim 15, wherein the operations are agnostic to a ty pe of the artifact.
  17. 17. The computer-readable storage medium of claim 16, wherein the artifact is one of a container image, Helm package. Helm chart, configuration schema, templates, or virtual machine images.
  18. 18. The computer-readable storage medium of claim 15, further comprising computerexecutable instructions stored thereupon which, when executed by one or more processors of a system, cause the system to perform operations comprising providing immutability and versioning for the artifact.
  19. 19. The computer-readable storage medium of claim 15, further comprising computerexecutable instructions stored thereupon which, when executed by one or more processors of a system, cause the system to perform operations comprising revoking the artifact as a trusted artifact.
  20. 20. The computer-readable storage medium of claim 15, further comprising computerexecutable instructions stored thereupon which, when executed by one or more processors of a system, cause the system to perform operations comprising storing a plurality of re-signed artifacts in an artifact store.

Description

END TO END ARTIFACT TRUST IN CLOUD ENVIRONMENTS PRIORITY APPLICATION [0001] This application claims the benefit of and priority to U.S. Provisional Application No. 63/525,144, filed July 5. 2023. the entire contents of which are incorporated herein by reference. BACKGROUND [0002] A data center may house computer systems and various networking, storage, and other related components. Data centers may. for example, be used by service providers to provide computing services to businesses and individuals as a remote computing service or provide “software as a serv ice" (e.g., cloud computing). Service providers may also utilize edge sites that include a geographically distributed group of servers and other devices that work together to provide delivery of content to end-users of data center services. In some implementations, service providers enable infrastructure and workload orchestration in hybrid cloud environments. In such complex environments, numerous artifacts are created, used, and managed, such as virtual machine (VM) images, container images, workload and sendee configuration artifacts, and the like. These artifacts are persisted and distributed by the sendee provider, resulting in deployments and configurations applied by the service provider in customer target environments. [0003] Software artifact content trust is an important aspect of software supply chain securityin such environments. Software artifact content trust refers to the ability to verify the authenticity, integrity, and provenance of software artifacts, such as packages, libraries, or binaries, that are consumed by developers or end-users. Software artifact content trust enables users to have confidence that the artifacts they use are not tampered with, compromised, or malicious. An unsecure software supply chain may attract trojan horse attacks, for example. To enable a service provider to deliver trusted vendor applications into the operator environment, content trust is an important aspect of such sendees. [0004] It is with respect to these considerations and others that the disclosure made herein is presented. SUMMARY [0005] Supply chain security is an important requirement for sendee orchestration and verifiable trust at the level of each individual artifact, regardless of its type and target environment. Supply chain security is needed to provide protection against increasingly sophisticated supplychain attacks. It is desirable for service providers to provide end-to-end artifact trust with the ability to trace back the origin of each artifact under management by the service provider. The service provider can enforce policies to prevent untrusted and unverified artifacts from being deployed or applied in user environments. [0006] The present disclosure provides a way to address end-to-end content trust for artifact types managed by the service provider, regardless of where or how the artifacts are deployed or applied in a target environment. In an embodiment, a trust mechanism is described that is agnostic to the specific type of artifact and where the artifact is being applied from within a cloud environment. [0007] In an embodiment, a resource type is provided to describe an artifact store which is used to hold all artifacts under management of the service provider. Access to the underlying artifacts is protected by protective measures or safety mechanisms to enforce artifact immutability' and versioning at the platform level. The artifact store resource type is an abstraction from actual storage and the service provider manages underlying registry' and storage mechanisms. In an embodiment, a trusted artifact store is provided that requires publishers managing artifacts in any ty pe of artifact store to provide a valid signature for each artifact that the publisher declares and enters into the platform. [0008] In various embodiments disclosed here, deployments of these artifacts are end-to- end verified for a valid signature. The initial signature provided at entry' of an artifact is provided by publishers based on a signing key that the publisher obtains from a certificate authority' that the service provider’s platform recognizes as trustworthy. The publisher performs the certificate authority's verification process to obtain a valid signing certificate. The publisher signs their artifacts with the valid signing certificate and submits both artifacts and signatures into the trusted artifact store. The service provider verifies the signature and in response to verifying a valid signature, the sen ice provider re-signs the artifact with a platform generated and managed certificate. Trust from that point on in the supply chain is based on this source of trust. The service provider manages the distribution and lifecycle of this certificate in target deployment environments where application of signed artifacts is verified for a valid signature. [0009] The disclosed embodiments provide for secure deployment of all types of artif