{"id":41885,"date":"2021-03-11T16:09:59","date_gmt":"2021-03-11T16:09:59","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=806f1d73f59a47aa30b8c535390cb637"},"modified":"2021-03-11T16:09:59","modified_gmt":"2021-03-11T16:09:59","slug":"google-and-red-hat-team-up-with-linux-foundation-for-software-signing-service","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/google-and-red-hat-team-up-with-linux-foundation-for-software-signing-service\/","title":{"rendered":"Google and Red Hat team up with Linux Foundation for software-signing service"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
10 Mar, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

The Linux Foundation has launched a free-to-use service for open source<\/a> developers to cryptographically sign<\/a> software to reassure users further down the supply chain that the software they\u2019re using is legitimate.<\/p>\n

Developed in partnership with Google<\/a> and Red Hat<\/a>, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.<\/p>\n

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source<\/a> supply chain attacks. This is because one of the major issues with open source software is it\u2019s often difficult to determine where the software came from, and how it was built.<\/p>\n

\u200b<\/span><\/p>\n

\u201cInstalling most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,\u201d said Google\u2019s product manager Kim Lewandowski and product engineer Dan Lorenc. \u201cTo address this we need to make it possible to verify the provenance of all software – including open source packages.<\/p>\n

\u201cThe mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let\u2019s Encrypt for Code Signing. Just like how Let\u2019s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.\u201d<\/p>\n

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.<\/p>\n

This approach has been devised in light of the fact that key distribution is \u201cnotoriously difficult\u201d, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA)<\/a> which will be made available for free.<\/p>\n

News of this project follows Google’s commitment to help fund two Linux developers<\/a> in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.<\/p>\n

\u201cI am very excited about sigstore and what this means for improving the security of software supply chains,\u201d said Luke Hinds, one of the lead developers on sigstore and Red Hat\u2019s security engineering lead.<\/p>\n

\u201cSigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.\u201d<\/p>\n

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

10 Mar, 2021 <\/p>\n

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software the…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41885","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41885"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41885\/revisions"}],"predecessor-version":[{"id":41886,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41885\/revisions\/41886"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}