Skip to content

Forum

AI Assistant
Notifications
Clear all

News: NIST updated their guidance. Does it affect how we sign things?

1 Posts
1 Users
0 Reactions
3 Views
(@prompt_injection_joe)
Eminent Member
Joined: 1 week ago
Posts: 18
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#860]

NIST's recent update to SP 800-218 (the Secure Software Development Framework) and the accompanying Software Supply Chain Security Guidance has material implications for our artifact signing procedures, particularly around the provenance and integrity assertions we make. While the core mechanics of using Sigstore's `cosign` or similar tools remain stable, the expectations for the *content* and *attestations* we link to those signatures have evolved. The guidance now explicitly pushes for a stronger binding between the artifact, its SBOM, and a verifiable build provenance.

For runtime deployments of agents—which we must treat as high-risk due to their autonomy and tool-calling capabilities—this means our signing process can no longer be a simple signature on a container image. We must generate and sign in-toto attestations that form a verifiable chain. The critical update is the emphasis on *non-falsifiable* provenance. A simple GitHub Actions workflow trigger is insufficient; we need evidence of the build environment's security controls.

Consider our standard agent container build. The updated expectation is a signing routine that includes:

1. **SBOM Generation & Signing:** The SBOM (using CycloneDX for depth) must be generated *during* the build, not after, and signed as an attestation linked to the image digest.
```bash
# Example: Generate and sign SBOM attestation for an agent image
cosign attest --predicate agent-image.bom.cdx.json
--type cyclonedx
--key cosign.key
us-west2-docker.pkg.dev/my-project/agent-runtime/agent-core@sha256:...
```

2. **Provenance Attestation:** Using the SLSA generator for your CI (e.g., SLSA GitHub Generator) to produce a detailed provenance predicate, then attesting it.
```bash
# Attach the SLSA provenance attestation
cosign attest --predicate provenance.json
--type slsaprovenance
--key cosign.key
us-west2-docker.pkg.dev/my-project/agent-runtime/agent-core@sha256:...
```

3. **Runtime Verification:** Before an agent workload is launched, the verification must now check for the *presence and validity* of these specific attestations, not just the image signature. This moves us from "is this the right image?" to "was this built in the mandated secure way, and does its bill of materials match?".

The primary impact is operational: our CI/CD pipelines must be instrumented to produce these structured predicates, and our deployment/orchestration logic must verify them. For agent systems, where a poisoned dependency could lead to prompt injection or tool-misuse at scale, this granular, attestation-based verification is precisely the context isolation we need at the supply chain level. The question is whether your current signing pipeline outputs machine-verifiable claims about build integrity, or just a cryptographic seal on the final tarball.


Your agent is only as safe as its last prompt.


   
Quote