Register now for your free virtual pass to the Low-Code/No-Code Summit on November 9. Hear from executives at Service Now, Credit Karma, Stitch Fix, Appian and more. Learn more.
The most of the code in today’s modern software, artifacts are open source in origin. Still, the security checks around that code aren’t as sophisticated or widespread as they should be. For this reason, strong, verifiable signatures must be captured – these provide insight into components, their authors and any manipulation.
“You wouldn’t bake a cake without reasonable assurance that the ingredients you were using were pure,” said Trevor Rosen, staff manager of engineering and chief of package security at GitHub. “But that’s basically what software authors using open source without signatures have to do today: use the ingredient and hope for the best.”
To support wider software signature adoption and further protect the software supply chain, sigstore community announced today on SigstoreCon the general availability of its free software signing service.
The tool is designed to improve supply chain security by making it easy to sign, verify, and audit the software developers build and use.
Event
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Register here
Signatures are “hugely useful” within a software supply chain, where code and artifacts are passed along a chain of systems, said Luke Hinds, project founder and chief of security engineering at Red Hat in the CTO’s office.
“With digital signatures, we can ensure that the software is fraud-free and has certainty about its source of origin,” he said.
Good verification to prevent data leaks
Supply chain attacks are now good for: one fifth of all data breaches, reaching a record high of $4.35 million.
“Supply chain security issues are ubiquitous because the attack surface is huge, the payoff for success is huge, and the ecosystem today has relatively few defenses,” Rosen says.
That’s why it’s so important to digitally sign the various artifacts that make up applications — from binaries and containers to aggregated files and software bills-of-materials (SBOMs). Digital signatures help guarantee that a piece of software has not been changed since it was signed, explains Priya Wadhwa, a software engineer at Chainguard, a Sigstore sponsor.
“They are one of the first lines of defense when verifying the authenticity of a piece of software and a critical part of a secure software supply chain,” she said.
Originally conceived and prototyped at Red Hat and now under the auspices of the Linux Foundation, the open-source Sigstore aims to make cryptographic signing easier.
“Unfortunately, as evidenced by numerous supply chain attacks in recent years, the software supply chain is still vulnerable to manipulation by various threat vectors,” said Bob Callaway, tech lead and manager at Google’s open source security team.
“When properly verified,” he said, “digital signatures allow software consumers to make informed decisions about the provenance of artifacts and metadata.”
Actively maintained and scaled by more than 70 organizations, Sigstore is becoming one of the fastest growing open source technologies, registering more than 4 million signatures.
It’s used by individual developers and enterprise customers, and Kubernetes and Python – two of the world’s largest open source communities – have adopted it. Most recently, the npm Registry – the JavaScript code sharing center – has announced that it is actively working on integrating Sigstore so that all npm packages can be linked to their source code and build instructions.
Historically, the adoption of cryptographic signatures within open source projects has been very low, largely due to the cumbersome tooling experience for developers, Hinds said. Callaway also described the frustrating user experience and “tricky” key management as major barriers to adoption.
Sigstore allows developers to sign software and consumers can easily verify it without managing signing keys, explains Wadhwa. It also offers non-repudiation and integrity guarantee, backed by strong cryptographic protocols.
Sigstore takes advantage of recent technological innovations in workload identity and certification authority automation, signing is allowed with all traditional methods and “keyless” signing is provided – that is, only an email address is required. Sigstore is designed to work in popular CI/CD (GitHub Actions or Kubernetes) environments, allowing developers to focus on writing software rather than signing and verifying it, Wadhwa said.
With modular architecture and support for multiple popular programming languages, it is easy to integrate into existing and new software supply chains.
The Sigstore community will operate the service with a 99.5% uptime SLO and 24-hour pager support.
The GA signals that “key entities in industry and academia are joining forces to provide sustainable solutions to one of the biggest threats to software security,” Rosen said.
Stop attacks before they do damage
Sigstore’s adoption rate has “far exceeded expectations,” illustrating the need for a GA release of Sigstore’s APIs, Hinds said.
It’s so popular because it “strikes the right balance” by providing a simple, easy-to-use developer experience coupled with strong security guarantees, he said.
Wadhwa explained that the Sigstore community has been working all year to strengthen the service’s infrastructure, stabilize the APIs, conduct an independent security audit and establish a 24/7 on-call rotation that is vendor neutral. is.
“By starting to secure the long tail of open source software,” Rosen says, “Sigstore can be an essential part of a successful effort to stop these types of attacks before they have a chance to do damage.”
The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.
