A new Linux Foundation open source signing tool could make secure software supply chains universal
Sigstore could eliminate the headaches associated with current software signing technology through public ledgers.
The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.
Called sigstore, the new cryptographic signing platform uses public logging similar to (but not the same as) cryptocurrencies and other blockchain technologies, the end result of which eliminates many of the security risks associated with traditional digital signing technologies. As opposed to using actual blockchains, sigstore uses transparency logs, which it said are more resilient to majority attacks, avoid canonicalization and are more mature.
The platform is designed for open source projects, which the Linux Foundation said are rarely cryptographically signed due to key management challenges, key compromise or revocation and public key distribution and artifact digests. Along with key control problems, many open source projects also store keys on websites vulnerable to attacks or in public git repositories. “In turn, users are left to seek out which keys to trust and learn steps needed to validate signing,” the Linux Foundation said in a press release.
SEE: Linux service control commands (TechRepublic Premium)
In addition, there has yet to be one universal digital signing standard, which sigstore aims to become. The Linux Foundation describes sigstore as a nonprofit project designed for the public good that “will be free to use for all developers and software providers, with sigstore’s code and operation tooling being 100% open source and maintained / developed by the sigstore community.”
Luke Hinds, security engineering lead at the Red Hat office of the CTO, said “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain.”said.
The technology behind sigstore is nothing new: It harnesses x509 public key infrastructure to generate ephemeral short-lived key pairs which the sigstore public key infrastructure service turns into a signing certificate when a successful OpenID connection is made. It’s at that point that the certificate is sent to the transparency log, which introduces a trust root tied to the user’s OpenID account. Once signing is complete, the keys are discarded, eliminating the need for key management, rotation or revocation.
SEE: Git guide for IT pros (free PDF) (TechRepublic)
The first types of data that will be signable under sigstore are generic release artifacts like tarballs, compiled binaries and container images, with plans to add jars, manifest signing and other formats in the future.
Currently, sigstore is functional, but the project describes it as being “under prototype development,” meaning it’s not available for general use. Officials said sigstore has built a fully functional server-client transparency log called rekor, and anyone can stand up their own rekor instance if they perform their own signing.
As of now, rekor supports GPG, x509 and Minisign public key infrastructures. Rekor also has an OpenAPI interface, and the sigstore project is encouraging interested users to join its Slack workspace to contribute and learn more.