The Linux Foundation, today announced the sigstore project. Founding members include Red Hat, Google and Purdue University. Sigstore improves the security of the software supply chain. It enabling the easy adoption of cryptographic software signing backed by transparency log technologies.
An inherent weakness of open source code is that it’s difficult to determine its provenance how it was built. That means that it’s prone to supply chain attacks.
Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine. Regarding sigstore, you can think of it likeย Letโs Encryptย for Code Signing.
Google Security Blog
Sigstore protect software origins
The project will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community.
It will also use transparent logging technologies to make it easier to trace the “provenance, integrity, and discoverability” of the software supply chain. This making it easier for both project owners and contributors to trust and monitor changes.
I am very excited about sigstore and what this means for improving the security of software supply chains. Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.
Luke Hinds, Security Engineering Lead at Red Hat
In short, sigstore could provide software developers an easier to use and free option for protecting the important files associated with a project. Developers can use sigstore to sign release files, binaries, manifests, documents, logs, and more.
If you are curious and also for more information, check the project’s website.
