Google and Red Hat team up with Linux Foundation for software-signing service

The project aims to cryptographically verify open source software to mitigate supply chain security risks

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software - including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google's commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

Related Resource

Five critical questions to ask your identity provider

How to distinguish best-of-breed identity

Five critical questions to ask your identity provider - whitepaper from OktaDownload now

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021
Re:Invent 2021: Zerto unveils its disaster recovery solution for AWS
Amazon Web Services (AWS)

Re:Invent 2021: Zerto unveils its disaster recovery solution for AWS

1 Dec 2021