Linux Foundation sigstore finds ‘origins’ in software supply chains

The Linux Foundation announced the sigstore project this spring.

Designed to improves the security of the software supply chain, sigstore is said to enable the adoption of cryptographic software signing backed by transparency log technologies. 

Software application development professionals will be able to securely sign software artifacts such as release files, container images and binaries. 

Signing materials are then stored in a tamper-proof public log. 

The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. 

Founding members include Red Hat, Google and Purdue University, in Indiana.

“[We can say that] sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, security engineering lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

Understanding and confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. 

The facts about software origins

The solutions that do exist often rely on digests that are stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks.

Very few open source projects cryptographically sign software release artifacts. 

This is largely due to the challenges software maintainers face on key management, key compromise/revocation and the distribution of public keys and artifact digests. 

In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository.

In an attempt to answer these issues, sigstore seeks to solve these issues by using short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs.

“I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation,” said Santiago Torres-Arias, assistant professor of Electrical and Computer Engineering, University of Purdue / in-toto project founder.

“We at Red Hat have known for a long time about the importance of digitally signing code. That’s why for many years we have offered verifiabilty using cryptographically secure signatures in all our distributed software packages as part of the RPM package system. Extending these principles in open ways to more and more software developers, maintainers and packagers is an important step for the whole ecosystem,” said Jan H Wildeboer, Red Hat EMEA Open Source Affairs.

For more information and to contribute visit: https://sigstore.dev