Linux Debuts Sigstore to Facilitate Software Supply

Insecurities of software acquisition from public repositories might have hit a cul de sac thanks to free-to-use Sigstore.


The Linux Foundation launched the nonprofit, free-to-use software on the 9th of March, 2021. This is a solid effort to reduce the exposure of the open-source software supply chain to risks.

Code signing cryptographically validates that software is untampered before installation.
Code signing cryptographically validates that software is untampered before installation.
Key Facts
  1. 1

    Sigstore uses 100% open-sourced operation client tooling developed by the Sigstore community.

  2. 2

    This cryptographic signing software uses public logging, which reduces the security risks that come with traditional means.

  3. 3

    Unlike usual blockchains, Sigstore employs transparency logs, citing their resilience to majority attacks and maturity.


As demonstrated by the recent dependency confusion attacks, the open-source ecosystem is exposed to supply chain attacks.

To execute these assaults, vigilante actors create open-source packages with names similar to public original packages and upload them to public repositories. If a developer takes the bait and installs the malicious package on their project, malware would have found its way in.

This project is the product of Google, Red Hat, and Purdue University's combined efforts to thwart this threat.

This project aims to make it easy for developers to explore open-source software and for users to verify them. It is encryption for code signing, another notable feature of Sigstore is the backing by transparency logs, meaning all certificates are visible globally, auditable and discoverable

Harnessing existing technologies like x509 PKI and transparency logs, Sigstore client tooling induces ephemeral pairs for users. The tool is open source and freely available for all developers. There are no privacy problems attached as Sigstore requires no private information access, only the OpenID Connect grant containing the client's email address.

Users of software supply chains are easy targets to various attacks, including account and communication security key compromise. Keys require frequent maintenance, permits in use, and those of dormant individuals. These make resolutions challenging for software maintenance to manage. Essential control aside, many open source projects store keys on exposed websites or in public git repositories.

In turn, users are left to seek out which keys to trust and earn steps needed to validate signing.

said the Linux Foundation in a press release.

Public logging through the OpenID connect gives users the advantage of subsisting security controls such as 2FA, OTP, and hardware token generators.

Code signing cryptographically validates that software is untampered before installation. It could prove a valuable tool in preventing hackers from delivering malware by co-opting patching systems or software distribution.

Provenance, integrity, and discoverability are what Sigstore's transparency logs represent. Thanks to the transparency, open-source, anyone can scrutinize the transparency logs in the case of suspicious concerns, execute queries and return entries signed by a particular email address. It also enables policing by security researchers to fish out notorious demeanor.

The project, for now, is in the early stages of development, but the coordinators ask for feedback and involvement from other developers.

Sigstore is evidence of the Linux Foundation's efforts to be the one universal digital signing standard.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …