In a bid to secure the open source software supply chain, the Linux Foundation, together with Red Hat, Google, and Purdue University have combined to launch a new project to help developers cryptographically sign their software.
Considering the constant increase in the rate of industrial adoption of open source software, the project, called sigstore, aims to prevent an attack on a public software repository from injecting tainted code in the supply chain.
“sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.
Supply chain security
Arguing that the modern software supply chain is exposed to multiple risks, the project says the existing toolset, which involves people meeting in person to sign each other’s keys, which has worked well for so long, isn’t anymore feasible in the current environment with geographically dispersed remote teams.
Now throw in the complexities of key management, revocation, public key distribution and artifact digests, and you end up in a situation where many open source projects choose not to sign their release in order to avoid the overhead.
To overcome this, sigstore pitches itself as “a free to use, non-profit software signing service that harnesses existing technologies of x509 PKI and transparency logs.” The new service will help developers and users understand and confirm the origin and authenticity of software, with minimum overhead.
It should be noted that the recent SolarWinds attacks were one of the most widespread and devastating examples of a supply chain attack.
“Securing a software deployment ought to start with making sure we’re running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain,” said Josh Aas, executive director of the non-profit SSL certificate authority, Let’s Encrypt.