Linux Foundation announces free sigstore software signing service
Founded in 2000, the Linux
Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. The Foundation has announced the sigstore project, which will help improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing, backed by transparency log technologies.
“sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, security engineering lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”
Understanding and confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist often rely on digests that are stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks.
“Securing a software deployment ought to start with making sure we’re running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain,” said Josh Aas, executive director, ISRG | Let’s Encrypt.