The Linux Foundation, in partnership with Red Hat, Google, and Purdue University, has announced a new digital signing project, potentially eliminating many of the issues that come with securing open-source software, files, images, and binaries.
The new open-source software signing service called “sigstore” comes in the wake of the SolarWinds supply chain attack that’s been dubbed “IT’s Pearl Harbor.”
Set to empower software developers to securely sign software artifacts such as release files, container images, and binaries, sigstore has the ability to store signing materials in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community.
Still, the founding members of sigstore believe the project can drastically change the environment for software authentication.
“We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open-source software and security,” said Mike Dolan, Senior Vice President and General Manager of Projects for the Linux Foundation, in a statement.
Few open-source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise/revocation, and the distribution of public keys and artifact digests. This means users are left to seek out which keys to trust and learn steps needed to validate signing.
Other problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues through utilization of short-lived ephemeral keys with a trust root leveraged from open and auditable public transparency logs.
The technology behind sigstore is nothing new: it harnesses x509 public key infrastructure to generate ephemeral short-lived key pairs which the sigstore public key infrastructure service turns into a signing certificate when a successful OpenID connection is made. It's at that point that the certificate is sent to the transparency log, which introduces a trust root tied to the user's OpenID account. Once signing is complete, the keys are discarded, eliminating the need for key management, rotation, or revocation.
Currently, sigstore is functional, but the project describes it as being "under prototype development," meaning it's not yet available for general use. Nevertheless, once widely available, the service will go along way in helping better secure the software supply chain.