Russia is historically destructive NotPetya malware attack and is more recent SolarWinds cyberespionage campaign have something in common beyond the Kremlin: They are both real examples of software attacks on the supply chain. It’s a term for what happens when a hacker drags a malicious code into a legitimate piece of software that can spread far and wide. And as more attacks on the supply chain emerge, a new open source project is about to take a stand, making a crucial safeguard free and easy to implement, as per an article in The Wired.
The founders of Sigstore hope that their platform will stimulate the adoption of code signing, an important protection for software supply chains but that a popular and widely used open source software is often overlooked. Open source developers don’t always have the resources, time, experience, or expertise to fully implement code signing above all other non-negotiable components they need to build for their code to function.
“Everyone is talking about supply chain security, we have one Executive Order about this, and everyone is beginning to understand how critical open source is and how we should actually put some resources behind repairing security for everyone,” says Dan Lorenc, supply chain researcher of open source software is an engineer at Google.
Lorenc is far from the only researcher who has focused on the challenges to ensure open source projects or the supply chain. But the mainstream attention generated by recent high-profile hackers has captured a new level of enthusiasm for the work Lorenc and his collaborators had already underway.
To understand the meaning of Sigstore you need to have a sense of what makes the code signature. Think of this as battle orders transmitted in ancient times. The generals will recognize the handwriting of the royal clerk, the signature of the commander-in-chief, and the detailed wax seal on the envelope, while a carefully verified network of pages conveys the messages in a controlled chain of custody. That system worked because it was extremely difficult – though not totally impossible – for an external entity to infiltrate the process, replicate crucial elements, and circumvent all those integrity checks.
“These are huge issues that put the world’s infrastructure at risk,” says Bob Callaway, a chief architect of the open source software company RedHat. “It’s certainly not a panacea that will solve everything, but it will be a big blow that people will actually get the best practices and cryptographic techniques that have been around for a long time and make releases more secure.”
Sigstore, that is affiliated with the Linux Foundation is currently led by Google, Red Hat and Purdue University, combining two components. First, it coordinates convoluted cryptography for its users. Using pre-established identifiers such as an email address, or a third-party connection system such as Sign in with Google or Sign in with Facebook, you can quickly begin the cryptographic signature of the code you produce as has been done by you in a certain way. time. Next, Sigstore automatically produces an immutable open source public record of all activities. This provides public accountability for any presentation, and a place to start investigating if something is wrong.
