Codenotary has announced the addition of independent cryptographic validator nodes to its free and open source Community Attestation Service (CAS), bringing the data open source projects notarize and authenticate using the service to a new level of transparency, security, and third-party verifiability.
The AlmaLinux and Home Assistant projects use CAS independent validation to add an additional layer of security to the CAS code inventory and Software Bill of Materials (SBOM), ensuring that the data has not been changed with after it has been written.
“This independent validation service allows anyone, anywhere in the world to verify the integrity of the data that is stored in the CAS,” said Moshe Bar, co-founder, and CEO of Codenotary. “It ensures that there is transparency and visibility into the backend of the service and that the notarization information stored is true and complete – so there is complete trust in the software being used. We encourage others to begin adding independent validators, as well.“
The CAS, which is backed by the open source immudb tamper-proof database, allows all open source software users to create a Software Bill of Materials that lists all of its components. The CAS traffic handles around 1.2 million transactions each day at a rate of 1,200 transactions per second. In the less than six months that the service has been accessible, millions of software assets (code, binaries, libraries, and containers) have been notarized, representing a significant improvement in the supply chain security posture for open source projects.
The CAS is used by Home Assistant, a popular home automation software company, to protect the integrity of its software and add-ons. Using Codenotary’s CAS, anyone may secure their open source program and generate SBOMs for free.
“Our content trust system uses CAS to enable both core and providers of third-party add-on extensions to Home Assistant to verify that the software delivered to our global community of users is secure, and what our users download and install is exactly the same as it was released by its creator and ensures nobody messed with it along the way. It helps to build a trustworthy IoT space,” said Pascal Vizeli, co-founder of Nabu Casa and core developer of Home Assistant.”