Linux Foundation launches free service to verify software authenticity
The Linux Foundation, the non-profit organization enabling innovation through open source, has announced a new service to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing.
Called 'sigstore' it will allow software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials will then be stored in a tamper-proof public log. Founding members of the project include Red Hat, Google and Purdue University.
"sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," says Luke Hinds, security engineering lead in the Red Hat office of the CTO. "By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development."
Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face with key management, key compromise, revocation and distribution of public keys and artifact digests. This means users are left to seek out which keys to trust and learn the steps needed to validate signing. There are further issues with how digests and public keys are distributed, they're often stored on websites susceptible to hacks or in a README file situated on a public git repository. With sigstore these issues are avoided by using short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency log.
"sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify them. I'm hoping we can make this easy as exiting vim," says Dan Lorenc of the Google Open Source Security Team. "Watching this take shape in the open has been fun. It's great to see sigstore in a stable home."
You can find out more on the sigstore site.