How to Scale End-to-End Observability in AWS Environments

Linux Debuts Sigstore to Facilitate Software Supply

Insecurities of software acquisition from public repositories might have hit a cul de sac thanks to free-to-use Sigstore.

March 16, 2021, 5:08 p.m.

TL;DR

The Linux Foundation launched the nonprofit, free-to-use software on the 9th of March, 2021. This is a solid effort to reduce the exposure of the open-source software supply chain to risks.

Code signing cryptographically validates that software is untampered before installation.

Key Facts

1
Sigstore uses 100% open-sourced operation client tooling developed by the Sigstore community.
2
This cryptographic signing software uses public logging, which reduces the security risks that come with traditional means.
3
Unlike usual blockchains, Sigstore employs transparency logs, citing their resilience to majority attacks and maturity.

Details

As demonstrated by the recent dependency confusion attacks, the open-source ecosystem is exposed to supply chain attacks.

To execute these assaults, vigilante actors create open-source packages with names similar to public original packages and upload them to public repositories. If a developer takes the bait and installs the malicious package on their project, malware would have found its way in.

This project is the product of Google, Red Hat, and Purdue University's combined efforts to thwart this threat.

This project aims to make it easy for developers to explore open-source software and for users to verify them. It is encryption for code signing, another notable feature of Sigstore is the backing by transparency logs, meaning all certificates are visible globally, auditable and discoverable

Harnessing existing technologies like x509 PKI and transparency logs, Sigstore client tooling induces ephemeral pairs for users. The tool is open source and freely available for all developers. There are no privacy problems attached as Sigstore requires no private information access, only the OpenID Connect grant containing the client's email address.

Users of software supply chains are easy targets to various attacks, including account and communication security key compromise. Keys require frequent maintenance, permits in use, and those of dormant individuals. These make resolutions challenging for software maintenance to manage. Essential control aside, many open source projects store keys on exposed websites or in public git repositories.

In turn, users are left to seek out which keys to trust and earn steps needed to validate signing.

said the Linux Foundation in a press release.

Public logging through the OpenID connect gives users the advantage of subsisting security controls such as 2FA, OTP, and hardware token generators.

Code signing cryptographically validates that software is untampered before installation. It could prove a valuable tool in preventing hackers from delivering malware by co-opting patching systems or software distribution.

Provenance, integrity, and discoverability are what Sigstore's transparency logs represent. Thanks to the transparency, open-source, anyone can scrutinize the transparency logs in the case of suspicious concerns, execute queries and return entries signed by a particular email address. It also enables policing by security researchers to fish out notorious demeanor.

The project, for now, is in the early stages of development, but the coordinators ask for feedback and involvement from other developers.

Sigstore is evidence of the Linux Foundation's efforts to be the one universal digital signing standard.