The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.
Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.
The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.
“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.
“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”
Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.
This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.
News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.
“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.
“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”
The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.