Sigstore: a Let’s Encrypt for software integrity
Google has teamed up with the Linux community on a new project that aims to make open source software more secure through easy code signing and verification.
The project – dubbed ‘sigstore’ – is spearheaded by the Linux Foundation and aims to use digital signature technology to ensure supply chain integrity and defend against software supply chain attacks.
In a blog post, Google cites the recent run of so-called ‘dependency confusion’ attacks and the abuse of malicious RubyGems packages to steal cryptocurrency as examples of the kinds of attacks that sigstore is gearing up to frustrate.
Described as a ‘Let’s Encrypt for code signing’, sigstore is designed to make it straightforward for developers to sign software releases and for users to verify them. The service will be free to use.
Chain of trust
Let’s Encrypt provides free SSL certificates and automation tooling for websites to run on HTTPS. In a similar manner, sigstore provides free certificates and tooling to automate and verify signatures of source code. The approach is backed by transparency logs.
Without such tooling and checks, the software supply chain will continue to be riddled with contamination and malfeasance, according to Google.
“Installing most open source software today is equivalent to picking up a random thumb drive off the sidewalk and plugging it into your machine. To address this, we need to make it possible to verify the provenance of all software - including open source packages,” explains the blog post.
Since long-term key management is hard, sigstore is based on short-lived certificates based on OpenID Connect grants.
To get around key distribution problems, sigstore is designed around a Root CA (certificate authority) for code signing.
Transparency Logs, backed by Trillian, offer a built-in fallback mechanism that will allow the system to detect and recover from any compromise.
A statement by the Linux Foundation explains: “Sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log.”
Work in progress
Although still in its early days, working prototypes of the technology have been developed by software engineers from Google, Linux distributor Red Hat, and the wider open source community.
The Linux Foundation was heavily involved with the project. The overall design of sigstore was put together by start-up vendor Smallstep.
Other developers and partners are encouraged to get involved with plans to further develop the project by hardening the system, adding support for other OpenID Connect providers, and more.
Early reaction to the project has largely been favorable.
Maya Kaczorowski, a program manager for software supply chain security at GitHub, commented on Twitter: “This is a huge step in the right direction of what we need for software supply chain security.”
Others, however, struck a note of caution by alluding to the possibility that cybercriminals or worse will abuse the technology for their own nefarious purposes.
Security blogger Nikos Vaggalis said in a blog post that while Sigstore is on the "right track" it fails to mitigate all supply chain hazards, something he argues is in any case impossible.
"Sigstore is a decent attempt to secure the supply chain, mitigating most of the dangers, but not all," Vaggalis writes. "[A trojanised] npm case still relies on the maintainer manually and meticulously scanning the code of the PR, a process that could very well fail to identify its malicious intent."
In response to queries from The Daily Swig to the Linux Foundation, a representative said the sigstore Project was actively considering how to harden the technology is order to guard against potential attack:
Like many open source projects, we've shared the news about the sigstore development work to open up contributions and invite community members to participate. We're also looking for critical input on things like UX, APIs, use cases and designs.
We know how important this service can be and we want as many people involved as possible, and the feedback and contribution will be key to hardening the final sigstore service.
We know how to harden systems like this and will be doing so before we recommend anyone rely on the system. And longer term, because we're carefully designing everything in sigstore to use Transparency Logs, which make the system verifiable and auditable by anyone, even if parts of the system are ever compromised, we (and our users) would be able to detect it, mitigate it and recover from it quickly.
This story has been updated to add comment from the sigstore project and (later) security blogger Nikos Vaggalis