Sigsum-general

Download

sigsum-general@lists.sigsum.org

April 2025

1 discussions

Experimental project using Sigsum and Sigstore to sign and verify web-applications in the browser
by Giulio 05 May '25

05 May '25

Hi all, For my master's thesis, and as a way to showcase a solution to the long-standing problem of using web applications for cryptographic tasks in the browser, without having to rely on server trust, I've developed a system that integrates a few components: - Sigsum is used to transparently build a list of authorized signers for each domain that wants to participate in the system. - Sigstore is used to sign executable web assets (JS, HTML, CSS, WASM) using OIDC identities, with the authorization for a specific domain verified against the Sigsum-powered list. The demo shows the system securing some of the most common self-hostable web apps, such as Jitsi, Element, and CryptPad. There is currently some shared interest from the Tor Project in bringing similar functionality into TBB. For a higher-level description, see [1], and for the project repository, see [2]. I’ll share my thesis at a later date, which will include additional insights and threat modeling for the whole system. Cheers Giulio [1] - https://securedrop.org/news/introducing-webcat-web-based-code-assurance-and… [2] - https://github.com/freedomofpress/webcat

2 3