Russia is historically destructive NotPetya malware attack and his most recent SolarWinds Cyberespionage Campaign have something in common besides the Kremlin: they are both real examples of software supply chain attacks. It’s a term for what happens when a hacker slips malicious code into legitimate software that can spread on a large scale. And as more supply chain attacks emerge, a new open source project is poised to take a stand, making crucial protection free and easy to implement.
The founders of Sigstore Hopefully their platform will drive the adoption of code signing, an important protection for software supply chains, but popular and widely used open source software often overlooks. Open source developers don’t always have the resources, time, expertise, or the means to fully implement code signing on top of all the other non-negotiable components they need to build their code to function.
“Until about a year and a half ago, I felt like I was the madwoman standing around the corner with a sign saying, ‘The end is drawing near. No one understood the problem, ”says Dan Lorenc, open source software researcher and supply chain engineer at Google. “But over the past year things have changed dramatically. Now everyone is talking about supply chain security, we have a Executive Decree about that, and everyone is starting to realize how critical open source is and how we really need to devote resources to securing the security of it for everyone.
Lorenc is far from the only researcher who has focused on security challenges open source or supply chain projects. But the general attention generated by recent high-profile hacks has sparked a whole new level of excitement for the work Lorenc and his associates already had underway.
To understand the meaning of Sigstore, you need to have an idea of what code signing does. Think of it like orders of battle fought in ancient times. The generals would recognize the handwriting of the royal scribe, the signature of the commander-in-chief and the wax seal detailed on the envelope, while a carefully controlled web of pages conveyed the messages in a controlled chain of possession. This system worked because it was extremely difficult, but not entirely impossible, for an outside entity to infiltrate the process, replicate crucial elements and bypass all of those integrity checks.
It is the same for the signature of cryptographic code. You can’t just create a Windows update and distribute it to your closest friends or foes. Only Microsoft can do this unless something badly goes wrong. One of the reasons it’s so difficult for anyone other than Microsoft to send updates to your Windows laptop is because the software has to have been “signed” by the right creator at the right time. It is the seal of John Hancock and wax of the digital age.
You can see why the stakes are so high, however, for ancient battles and modern software. If someone could send malicious commands or updates, they could stage a coup or compromise billions of computers. The benefits of code signing are clear, but getting hobbyists, volunteers, and other open source contributors to integrate it requires a low barrier to entry.
“These are huge problems that put infrastructure at risk around the world,” says Bob Callaway, chief architect of open source enterprise software company RedHat. “It is certainly not a panacea that will solve everything, but it will make a big dent for people to actually use the best practices and cryptographic techniques that have been around for a long time and make the versions more secure.”
Sigstore, which is affiliated with the Linux Foundation, and currently run by Google, Red Hat, and Purdue University, combines two components. First, it coordinates convoluted cryptography for its users; it even gives the possibility of literally managing everything for developers who cannot or do not want to take on the extra work themselves. Using established pre-existing credentials like an email address or a third-party login system like Sign In with Google or Sign In with Facebook, you can quickly begin to cryptographically sign the code you produce as having been created by you at some point. moment. . Second, Sigstore automatically produces a public, immutable open source log of all activity. This ensures public accountability for every submission and a place to start investigating if something goes wrong.
