Open source software is a wonderful thing, but it’s often built by multiple people &, sadly, there’s no verification process that either developers or users can rely on to vouch for the codes’ authenticity & security. As a result, many open source projects are hijacked by hackers & in the end users are compromised. “Sigstore” aims to change this landscape with their code signing & verification certificates.
Sigstore, a project backed by the likes of Google, RedHat & Linux, has set up a chain of products to assist developers in signing their software, proving their identity & ultimately making open source code far more reliable & safe. This is a giant step in the right direction for open source projects & developers are rushing to avail themselves of the service, which has already seen more than 4 million instances.
Sigstore is also backed by Transparency Logs, meaning that the certificates issued for source code are visible to the public, globally. The Transparency Logs are backed by Trillian, which facilitates the detection of code that has been compromised & allows for faster, more effective fixes.
Generally, when developers finish a project they need to sign off on the build, which requires complicated key generation & maintenance. The source code is issued with a private & a public key; the private key is “secret” & the developer has to ensure that it’s never leaked. Sigstore does away with this complication, their system is called keyless signing & the code is automatically signed on the final commit on services such as GitHub (currently available for Kubernetes & CPython releases.)
Support for JavaScript & npm will mean that users of various packages & libraries will be able to understand how the code was built, by whom & if the package has been compromised in any way. This is a massive plus for code supply-chain security, since JavaScript is widely used to build applications & there is, currently, no way to check the authenticity of libraries & packages used as a framework for some of the most used applications, such as Uber, which is built with React.
Sigstore is completely free to use & backed by a strong community. The community are in the game for the long haul & promise to maintain the system & offer constant support.
Image credit: Sigstore
