Metadata-Version: 2.4
Name: sscs-assignment
Version: 0.1.0
Summary: Software Supply Chain Security Assignmen
License-File: LICENSE
Author: aadi
Requires-Python: >=3.13
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Requires-Dist: astroid (==4.0.1)
Requires-Dist: bandit (==1.8.6)
Requires-Dist: black (==25.9.0)
Requires-Dist: certifi (==2025.10.5)
Requires-Dist: cffi (==2.0.0)
Requires-Dist: cfgv (==3.4.0)
Requires-Dist: charset-normalizer (==3.4.3)
Requires-Dist: click (==8.3.0)
Requires-Dist: cryptography (==46.0.2)
Requires-Dist: dill (==0.4.0)
Requires-Dist: distlib (==0.4.0)
Requires-Dist: filelock (==3.20.0)
Requires-Dist: flake8 (==7.3.0)
Requires-Dist: gitdb (==4.0.12)
Requires-Dist: gitdb2 (==4.0.2)
Requires-Dist: gitpython (==3.0.6)
Requires-Dist: identify (==2.6.15)
Requires-Dist: idna (==3.11)
Requires-Dist: isort (==7.0.0)
Requires-Dist: logger (==1.4)
Requires-Dist: markdown-it-py (==4.0.0)
Requires-Dist: mccabe (==0.7.0)
Requires-Dist: mdurl (==0.1.2)
Requires-Dist: mypy (==1.18.2)
Requires-Dist: mypy-extensions (==1.1.0)
Requires-Dist: nodeenv (==1.9.1)
Requires-Dist: packaging (==25.0)
Requires-Dist: pathspec (==0.12.1)
Requires-Dist: platformdirs (==4.5.0)
Requires-Dist: pre-commit (==4.4.0)
Requires-Dist: pycodestyle (==2.14.0)
Requires-Dist: pycparser (==2.23)
Requires-Dist: pyflakes (==3.4.0)
Requires-Dist: pygments (==2.19.2)
Requires-Dist: pylint (==4.0.0)
Requires-Dist: pytokens (==0.1.10)
Requires-Dist: pyyaml (==6.0.3)
Requires-Dist: requests (==2.32.5)
Requires-Dist: rich (==14.2.0)
Requires-Dist: ruamel-yaml (==0.17.40)
Requires-Dist: smmap (==5.0.2)
Requires-Dist: stevedore (==5.5.0)
Requires-Dist: tomlkit (==0.13.3)
Requires-Dist: trufflehogregexes (==0.0.7)
Requires-Dist: types-requests (==2.32.4.20250913)
Requires-Dist: typing-extensions (==4.15.0)
Requires-Dist: urllib3 (==2.5.0)
Requires-Dist: virtualenv (==20.35.4)
Requires-Dist: yamlfmt (==1.1.1)
Description-Content-Type: text/markdown

# software-supply-chain-security

this repository demonstrates software supply chain security practices using [sigstore](https://www.sigstore.dev/) for artifact signing and verification.  
it includes steps to **create, sign, and verify software artifacts**, along with verifying their inclusion in a **merkle tree transparency log**.

the workflow implemented here helps ensure:
- integrity of published artifacts
- provenance tracking of software releases
- prevention of supply chain attacks

---

## repository structure

| file / folder       | description |
|---------------------|-------------|
| `artifact.md`       | initial sample artifact file to sign |
| `artifact.bundle`   | signed bundle generated by sigstore for `artifact.md` |
| `artifact_2.md`     | second sample artifact |
| `artifact_2.bundle` | signed bundle for `artifact_2.md` |
| `main.py`           | core verification script (inclusion & consistency checks) |
| `merkle_proof.py`   | utilities for working with merkle tree proofs |
| `util.py`           | helper functions used across scripts |
| `demo.png`          | visual demo of signing and verification steps |
| `__pycache__/`      | compiled python cache files |
| `.gitignore`        | ignored files for git |

---

## demo workflow

the overall process is divided into **three steps**:

### step 1: create & sign artifact
generate an artifact and sign it with sigstore:
```bash
echo "hello world!" > artifact_2.md
python -m sigstore sign --bundle artifact_2.bundle artifact_2.md
````

this generates:

* the signed bundle `artifact_2.bundle`
* transparency log entry metadata (e.g., `logIndex`, `logID`)

---

### step 2: get merkle tree & artifact info

extract important fields from the bundle:

```bash
cat artifact_2.bundle | jq '.' | tail -n 5
```

example output:

```
"logIndex": 482833136,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
```

check the current checkpoint of the merkle tree:

```bash
python3 main.py -c
```

---

### step 3: verify artifact

#### a) verify signature & inclusion

```bash
python main.py --inclusion 482833136 --artifact artifact_2.md
```

output will confirm:

* signature validity
* offline root hash calculation
* inclusion proof verification

#### b) verify tree consistency

```bash
python3 main.py --consistency \
  --tree-id 1193050959916656506 \
  --tree-size 360933865 \
  --root-hash 141a3c752daec75b527dd79101d859a33c38d94b4721e54328a9427a5a50c271
```

---

## demo screenshot

![sigstore demo](demo.png)

---

## prerequisites

* python 3.8+
* `sigstore` cli tool
* `jq` for json parsing
* `pip install -r requirements.txt` (if present)

---

## use case

this setup is ideal for:

* securing ci/cd pipelines
* ensuring integrity of open-source releases
* validating provenance of dependencies

---

## author

**aaditya rengarajan `<ar9668>`**
assignment for **software supply chain security**

---

## [to-do]

[] review test-cases written with ai-assistance
