New free software signing service aims to strengthen open-source ecosystem

New free software signing service aims to strengthen open-source ecosystem

The Linux Foundation has launched a free service that software developers can use to digitally sign their releases and other software artifacts. The project aims to strengthen the security and auditability of the open-source software supply chain, which has faced an unprecedented number of attacks in recent years.

[ Learn how to track and secure open source in your enterprise. | Get the latest from CSO by signing up for our newsletters. ]

The code behind the new service, called sigstore, was developed in partnership with Google, Red Hat and Purdue University, and will be maintained by the community going forward. All signatures and signing events will be stored in a tamper-resistant public log that can be monitored to discover potential abuse.

To read this article in full, please click here



Support the originator by clicking the read the rest link below.