Google and Red Hat team up with Linux Foundation for software-signing service

The project aims to cryptographically verify open source software to mitigate supply chain security risks

Programming code abstract on a reflective background

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software - including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google's commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

Related Resource

Five critical questions to ask your identity provider

How to distinguish best-of-breed identity

Five critical questions to ask your identity provider - whitepaper from OktaDownload now

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021