Maven Central and Sigstore⚓︎
As custodians of the Maven Central registry, it’s important to us here at Sonatype to ensure Central remains accessible, secure and modern for users and publishers.
With this in mind, over the past few years we have been investing heavily in Maven Central with the goal of modernizing the platform, improving the security of publishing and consumption and providing the developer experience consistent with expectations of contemporary software registries. This is a wide ranging effort that is expected to improve upon nearly every aspect of the platform.
As we work through design and planning activities, the emergence of sigstore as a solution to address provenance concerns that are critical to software supply chains is particularly exciting to us.
Like many other software and package registries, Maven Central currently relies heavily on developer GPG signatures of artifacts to guarantee their authenticity and integrity: signatures are a requirement for publication to Maven Central, and while providing for some added security, the implementation has an outsized impact on complexity and publication times for our publishers.
And, like other registries, the value of these signatures is not truly realized due to shortcomings in public key infrastructure, developer tooling, and no extant chain of trust for developers. Sigstore is literally designed to solve this problem with elegance and runtime properties that are especially appealing in common Java development and CI environments.
We have every intent to adopt sigstore as part of the Maven Central platform. Additionally, Sonatype is in consultation with the Linux Foundation and OpenSSF to better understand the dimensions of our participation with their efforts to further support activities relevant to software supply chain security and observability.
What's Next?⚓︎
We are moving forward with the following activities:
-
Identifying relevant stakeholders & establishing a communications plan for interactions with respect to sigstore and Maven Central.
-
Review current work (RubyGems RFC, etc), with an eye towards identifying unanswered questions, concerns, and constraints that are relevant to Maven Central users.
-
Creating proof-of-concept code in order to facilitate design & implementation of a full-fledged solution.
-
Development of an authoritative & public technical document regarding the implementation of sigstore for Maven Central, with considerations towards a phased implementation and impact to new and existing users.
We’re unsure how the broader community of Maven Central users and stakeholders wishes to contribute to this effort, but Sonatype is excited to understand your thoughts and perspectives. We are confident that a collaborative approach to addressing these shared concerns will result in a better overall solution.
Note
A previous version of this post included a first look at our roadmap for Maven Central. This content has been moved to its own blog post: Maven Central Roadmap: A First Look.
--Jason Swank
Director of Engineering, Maven Central