This repository contains the source code for scitt-ccf-ledger, an application that runs on top of CCF implementing draft standards developed within the IETF SCITT and COSE Working Groups:
- draft-ietf-scitt-architecture
- draft-ietf-cose-merkle-tree-proofs
- draft-ietf-cose-hash-envelope
- draft-ietf-scitt-scrapi
- draft-birkholz-cose-receipts-ccf-profile
The purpose of scitt-ccf-ledger is to provide transparent provenance for artefacts in digital supply chains. It achieves this by allowing signed claims about artefacts to be submitted to a secure immutable ledger, and returning receipts which prove claims have been stored and registration policies applied.
This project is open source to facilitate auditability and academic collaboration. We are keen to engage in research collaboration on this project, please do reach out to discuss this by opening an issue.
The instructions below guide you through building and deploying a local instance of scitt-ccf-ledger for development and testing purposes.
Being a CCF application, scitt-ccf-ledger targets AMD SEV-SNP but also supports running on x86-64 hardware without TEE support in what is called virtual mode.
All instructions below assume Linux as the operating system. scitt-ccf-ledger is primarily built on Azure Linux 3.0.
Use the following commands to start a single-node CCF network with the scitt-ccf-ledger application setup for development purposes.
Note:
PLATFORMshould be set tovirtual, orsnpto select the type of build. Note: ifPLATFORMis set tosnp, additional configuration is required. Refer to this section for more details.
export PLATFORM=<virtual|snp>
./docker/build.sh
./docker/run-dev.shThe node is now reachable at https://127.0.0.1:8000/.
Note that run-dev.sh configures the network in a way that is not suitable for production, in particular it generates an ad-hoc governance member key pair and it disables API authentication.
See the demo/ folder on how to interact with the application.
scitt-ccf-ledger implements registration for two kinds of Signed Statements:
- Statements signed with an X.509 certificate chain (schema), which make use of header parameters defined in RFC9360, and
did:x509issuers. - Statements signed with hardware-attested, ephemeral keys (schema), which are currently experimental, and make use
did:attestedsvcissuers.
See DEVELOPMENT.md for instructions on building, running, and testing scitt-ccf-ledger.
To help with the configuration of an application or to be able to interact with its API you could leverage the available CLI.
The pyscitt CLI is written in Python and is available on PyPi here. To install it, you can use the following command:
pip install pyscittThe CLI is also distributed through the GitHub releases as a wheel file. Optionally, it can be used from within the repository using the ./pyscitt.sh script. For example:
./pyscitt.sh --helpThe CLI is extensively used in the following functional tests and demo scripts:
See pyscitt for more details.
See reproducibility.md for instructions.
A basic set of performance indicators can be obtained by building the project, and running:
./run_functional_tests.sh -m bencherAlso see .github/workflow/bencher.yml, and the dashboard. This is useful to understand the potential performance impact of changes.
This project welcomes contributions and suggestions. Please see the Contribution guidelines.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.