Today, we will talk about "Sigstore". One of many, of the free and open projects under the tutelage of the Linux Foundation.
"Sigstore" It is basically a project created to provide a non-profit public good service, to improve supply chain de open source software facilitating the adoption of software cryptographic signature backed by transparency registration technologies.
"Sigstore", It's not the only one Linux Foundation project which we have talked about on previous occasions. Another of them has been Automotive Grade Linux, which we describe at the time as follows:
"Automotive Grade (Quality) Linux is an open source collaborative project that is bringing together automakers, vendors and technology companies to accelerate the development and adoption of a fully open software stack for the car of the future. With Linux at its core, AGL is developing an open platform from the ground up that can serve as the de facto industry standard to enable the rapid development of new features and technologies." Linux Foundation: Present at the Consumer Electronics Show 2020
Later, in future publications we will address other projects, but for those who wish to explore some of them by themselves, they can do so through the following link: Linux Foundation projects.
Table of Contents
Sigstore: A project of the Linux Foundation
What is Sigstore?
According to his own Sigstore official website, the same is:
"A project created with the objective of providing a non-profit public good service to improve the open source software supply chain by facilitating the adoption of the software cryptographic signature, supported by transparency registration technologies. In addition, it tries to train software developers to securely sign software artifacts such as release files, container images, binaries, bill of materials manifests, and more."
In addition, this project seeks to ensure that:
"The signed materials are stored in a tamper-proof public record."
Why is Sigstore important?
This project, its tools and members, seeks to avoid «attacks on the software supply chain », such as, what happened with Solarwinds and others well known in recent times.
"Microsoft said the hackers compromised SolarWinds' Orion monitoring and management software, allowing them to impersonate any existing user and account in the organization, including highly privileged accounts. Russia is said to have exploited layers of the supply chain to access government agency systems."
Be understood by «attack on the software supply chain » to the act by which, A hacker inserts malicious code into legitimate software to spread it everywhere.
Hence, free / open projects that are free and easy to implement, such as "Sigstore" they are more and more necessary in our days.
How to prevent attacks on the software supply chain?
Although, on other occasions, we have offered some useful information security advice, practical for everyone and at any time or situation, the following tips are directly focused on mitigating this type of attack as much as possible:
- Maintain an inventory of all own and third-party software tools, both free and open, and proprietary and closed, that are used.
- Be aware of known and future vulnerabilities, of all applications and systems used, to apply as soon as possible the patches that are officially available.
- Stay informed about detected breaches or attacks carried out, to own and third-party software providers, to avoid unexpected surprises in these ways.
- Eliminate in the shortest possible time, those systems, services and protocols that may be redundant (unnecessary) or obsolete (unused).
- Plan and implement joint strategies and security requirements with your software providers, to minimize the IT risk from them and your own security processes.
- Run regular code audits. And keep updated security reviews and change control procedures, required for each component of the code created or used.
- Perform routine penetration tests to identify potential hazards on your computing platform.
- Implement IT security measures such as access controls and double factor authentication (2FA) to protect software development processes.
- Run security software with multiple layers of protection. Especially against intrusions, viruses and rasomwares, so common these days.
- Keep your backup or contingency plan up to date, in order to safely maintain the vital data of your applications, systems and activities (processes), and be able to recover any of them, in the shortest possible time.
More about Sigstore
Finally, the developers of "Sigstore" they explain a little the operation of this project in the following way:
"Sigstore leverages existing x509 PKI technologies and transparency registries. Users generate short-lived ephemeral key pairs using the sigstore client tools. The sigstore PKI service will then provide a signing certificate generated after a successful OpenID connect grant. All certificates are recorded in a certificate transparency registry and software signing materials are submitted to a signature transparency registry."
"Using transparency records introduces a root of trust in the user's OpenID account. Thus we can have guarantees that the claimed user was in control of the account of an identity service provider at the time of signing. Once the signing operation is complete, the keys can be discarded, eliminating any need for additional key management or the need for revocation or rotation."
We hope this "useful little post" about us
«Sigstore», an interesting and useful project of the Linux Foundation, what is a transparency service and software signature public good and non-profit, created for improve supply chain open source software; is of great interest and utility, for the entire
«Comunidad de Software Libre y Código Abierto» and of great contribution to the diffusion of the wonderful, gigantic and growing ecosystem of applications of
For now, if you liked this
publicación, Do not stop share it with others, on your favorite websites, channels, groups or communities of social networks or messaging systems, preferably free, open and / or more secure as Telegram, Signal, Mastodon or another of Fediverse, preferably.
And remember to visit our home page at «FromLinux» to explore more news, as well as join our official channel of Telegram from DesdeLinux. While, for more information, you can visit any Online library as OpenLibra y JedIT, to access and read digital books (PDFs) on this topic or others.