The Linux Foundation, Red Hat, Google, and Purdue University have launched the free 'sigstore' service that helps developers verify open-source software to prevent supply-chain attacks.
The open-source ecosystem is commonly targeted by supply-chain attacks. To launch these attacks, threat actors create malicious open-source packages and upload them to public repositories using names similar to popular legitimate packages. If a developer unwittingly includes the malicious component in their own project, malicious code will automatically be executed when the project is built.
To help prevent these types of attacks, 'sigstore' will be a free-to-use non-profit code signing service that allows developers to sign open-source software and verify their authenticity. “sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log,” reads the press release by Linux Foundation.
Transparency, visibility, integrity
To make the process simple, sigstore relies on the OpenID authentication protocol to connect certificates to identities. This allows developers to use security controls they already have, such as multifactor authentication, one-time passwords, and hardware token generators.
Developers will use sigstore’s tooling to create ephemeral short-lived key pairs. Its public key infrastructure (PKI) service provides a signing certificate following the successful OpenID connect grant. From there, certificates are recorded into a certificate transparency log, and software signing materials go to a signature transparency log, sigstore explains on its website. With the transparency logs being public, they can easily be monitored for compromise and rolled back when detected.
"sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable," Google explained in a blog post.
“sigstore enables all open-source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.
sigstore comes at a time when more and more organizations begin to think about the business risk inherited by third parties through complex and extensive supply chains. This heightened awareness is driven by the ripple effects caused by the SolarWinds hack that impacted dozens of federal agencies and other organizations. The founding members of sigstore believe the project can drastically change the environment for software authentication.
The challenge of software authenticity
Understanding and confirming the origin and authenticity of software often relies on a diverse set of approaches and data formats. The existing solutions rely on digests stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks. As Google security engineers Kim Lewandowski and Dan Lorenc put it, “Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine.”
Eric Brewer, Rob Pike and others at Google have recently stressed the importance of a multifaceted approach to vulnerabilities in open source based on three ideas: know, prevent, fix:
“Open source likely makes more use of dependencies than closed source, and from a wider range of suppliers; the number of distinct entities that need to be trusted can be very high. This makes it extremely difficult to understand how open source is used in products and what vulnerabilities might be relevant. There is also no assurance that what is built matches the source code.”
Software signing is meant to convey trust. The process of digitally signing software is meant to provide evidence that the code comes from a known developer or software vendor and hasn't been tampered with. This gives users confidence they're using code from a trusted source. However, very few open-source projects cryptographically sign software artifacts. This is largely due to the challenges that software developers face on key management, key revocation and the distribution of public keys and artifact digests. sigstore seeks to solve these issues by utilizing short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs.
“Securing a software deployment ought to start with making sure we’re running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open-source software supply chain,” said Josh Aas, executive director, Let’s Encrypt.
While the transparency log is fully functional, sigstore isn't available to developers just yet. The team hopes sigstore will be made available later this year, though an official date has not yet been determined.
How much control do you have over your organization’s code signing process? Make it easy for developer to comply with corporate policies with Venafi CodeSign Protect.