In an effort to secure the free software supply chain, the Linux Foundation (the non-profit organization that fosters innovation through open source) has partnered with Red Hat, Google, and Purdue University to launch a new project to help developers easily adopt cryptographic signature in software.
This new project is supported by record transparency technologies, as the ever increasing industrial adoption rate of open source software, the project, Sigstore, aims to prevent an attack on a public software repository from injecting corrupt code into the supply chain.
sigstore will allow software developers to sign securely software artifacts such as version files, container images, and binaries. It is mentioned that signed items are stored in a tamper-proof public journal.
SigStore seeks to enable developers to understand and confirm the origin and authenticity of software that is based on an often disparate set of approaches and data formats. Existing solutions are often based on "summaries" (hash or results of a hash function) stored on insecure systems, which can be corrupted and lead to various attacks, such as hash exchange or hash function, attacks directed against users.
The use of the service will be free to all software developers and vendors, and the SigStore community will develop the code and operational tools for the sigstore. Red Hat, Google and Purdue University are among the founding members of the project.
"Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and verifiable software supply chain," said Luke Hinds, chief security officer, Red Hat CTO office. . "By hosting this collaboration at the Linux Foundation, we can accelerate our work on sigstore and support the continued adoption and impact of open source software and development."
“Securing a software implementation should start with making sure that we are running the software that we think we have. sigstore represents a great opportunity to bring more trust and transparency to the open source software supply chain, ”said Josh Aas,
Arguing that the modern software supply chain is exposed to multiple risks, the project says that existing tools, that involve people meeting in person to sign keys, and that have worked well for so long, can no longer be achieved in today's environment with geographically dispersed areas.
Also, it is mentioned that there are very few open source projects that cryptographically sign software version artifacts. This is due in large part to the challenges software maintainers face in key management, key compromises, revocation and distribution of public keys and hash artifacts. This means that users must figure out which keys to trust and learn the steps required to validate the signature.
“Sigstore aims to make all versions of open source software verifiable and to facilitate verification by users. Hopefully we can make this as easy as exiting vim, ”said Dan Lorenc, software engineer on Google's open source software security team.
Another problem is how hashes and public keys are distributed: they are often stored on potentially hacked websites or in a README file located in a public git repository.
SigStore seeks to address these issues by using short lived ephemeral keys with a root of trust drawn from an open and verifiable public transparency registry. The new service will help developers and users understand and confirm the origin and authenticity of the software, with minimal overhead.
“I am very excited about a system like sigstore. The software ecosystem urgently needs such a system to report on the status of the supply chain. I think with sigstore, which answers all questions about software sources and ownership, we can start asking questions about software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructures. ”, said Santiago Torres-Arias