IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google and Red Hat team up with Linux Foundation for software-signing service

The project aims to cryptographically verify open source software to mitigate supply chain security risks

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software - including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google's commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

Related Resource

Five critical questions to ask your identity provider

How to distinguish best-of-breed identity

Five critical questions to ask your identity provider - whitepaper from OktaDownload now

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022