The Linux Foundation today announced its launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process.
Sigstore will be free for software providers and developers, who can use it to securely sign software artifacts such as release files, container images, binaries, and bill-of-material manifests. Signing materials are then stored in a tamper-proof public log. The service's code and operation tooling will be fully open source and maintained and developed by the Sigstore community.
Founding members include Red Hat, Google, and Purdue University. The idea for the service came from Luke Hinds, security engineering lead in Red Hat's Office of the CTO. He pitched the concept to Google software engineer Dan Lorenc, and the two began to work on it. Now the Sigstore project has a "small but agile community" working on its development, Lorenc says.
Software supply chains face security risks. Users are exposed to targeted attacks, as well as account and cryptographic key compromise. Keys are difficult for software maintainers to manage. Software projects often have a list of keys in use, and maintainers must handle the keys of people no longer involved. These public keys are often stored on git repo readme files or websites, where they may be susceptible to tampering and don't securely convey trust.
Software signing is meant to convey trust. The process of digitally signing software is meant to provide evidence that the code comes from a known developer or software vendor and hasn't been tampered with. This gives users confidence th ..
Support the originator by clicking the read the rest link below.
