



One of the basic security issues with open source is that it’s difficult to know where the software came from and how it was built, and it’s vulnerable to supply chain attacks. Some recent examples include dependency disruption attacks and malicious RubyGems packages for stealing cryptocurrencies.

Today, we welcome the announcement of sigstore, a new project of the Linux Foundation that aims to solve this problem by improving the integrity and validation of software supply chains.

Installing most open source software today is the same as taking a random thumb drive off the sidewalk and connecting it to your machine. To address this, you need to be able to determine the source of all software, including open source packages. In a recent Know, Prevent, and Fix post, I talked about the importance of this.

The mission of sigstore is to allow developers to sign releases and make it easy for users to see them. You can think of it like Let’s Encrypt for Code Signing. Just as Let’s Encrypt provides free HTTPS certificates and tools, sigstore provides free certificates and tools for automating and verifying source code signatures. Sigstore also has the added benefit of being backed by transparent logs. That is, all certificates and certificates are globally visible, discoverable, and auditable.

Sigstore is designed for open source maintainers using open source maintainers. We understand that long-term key management is difficult, so we take a unique approach of issuing short-term certificates based on the granting of OpenID Connect. Sigstore also stores all activity in a Trillian-backed transparency log, making it easier to detect breaches and recover in the event of a breach. Distributing keys is notoriously difficult, so we eliminated the need for keys by building a special root CA dedicated to code signing. It will be available for free.

We have a working prototype and a proof of concept, and we’re happy to share it for feedback. Our goal is to make code signing and validation seamless and easy.

It’s fun to collaborate with Red Hat and people in the open source community on this project. Luke Hinds, one of the lead developers of Red Hat’s sigstore and Security Engineering Lead, said: Work together to develop solutions and facilitate the adoption of software signatures in a transparent way. I couldn’t agree anymore.

Mike Malone, CEO of Smallstep, helped with the overall design of the sigstore. He adds: “In less than a generation, open source has grown from a niche community to an important ecosystem that strengthens the global economic, social and cultural institutions. Open and decentralized collaboration that makes this ecosystem work. This ecosystem must be secured without compromising. By respecting privacy and building on the ingenious configuration of existing technologies that work on a large scale, sigstore addresses this fundamental problem. The core infrastructure needed to solve. This is an ambitious project that has the potential to have a global impact. The rapid progress of Google, Red Hat, and the Linux Foundation over the past few months. I’m impressed and excited to hear feedback from the wider community. “

We are pleased with the progress we have made so far, but we know that there is still work to be done before this is widely trusted. Future plans for sigstore include strengthening the system, adding support for other OpenID Connect providers, updating documentation, and responding to community feedback.

Sigstore is still in its infancy, but we are very excited about its future. It’s a great opportunity to get feedback, try out the tools, and get involved in the project as the design details are still sophisticated.

