Russia is historically destructive NotPetya malware attack and is more recent SolarWinds cyberespionage campaign have something in common beyond the Kremlin: They are both real examples of software attacks on the supply chain. It’s a term for what happens when a hacker drags a malicious code into a legitimate piece of software that can spread far and wide. And as more attacks on the supply chain emerge, a new open source project is about to take a stand, making a crucial safeguard free and easy to implement.
The founders of Sigstore I hope that their platform will stimulate the adoption of code signing, an important protection for software supply chains but that a popular and widely used open source software is often overlooked. Open source developers don’t always have the resources, time, experience, or expertise to fully implement code signing above all other non-negotiable components they need to build for their code to function.
“Until about a year and a half ago I felt like the guy standing on the corner with a sign that says,‘ The End Has Come. ’No one understood the problem,” says Dan Lorenc, supply chain researcher of open source software is an engineer at Google. “But things have changed a lot in the last year.” Now everyone is talking about supply chain security, we have one Executive Order about this, and everyone is beginning to understand how critical open source is and how we should actually put some resources behind repairing security for everyone. ”
Lorenc is far from the only researcher who has focused on the challenges to ensure open source projects or the supply chain. But the mainstream attention generated by recent high-profile hackers has captured a new level of enthusiasm for the work Lorenc and his collaborators had already underway.
To understand the meaning of Sigstore you need to have a sense of what makes the code signature. Think of this as battle orders transmitted in ancient times. The generals will recognize the handwriting of the royal clerk, the signature of the commander-in-chief, and the detailed wax seal on the envelope, while a carefully verified network of pages conveys the messages in a controlled chain of custody. That system worked because it was extremely difficult – though not totally impossible – for an external entity to infiltrate the process, replicate crucial elements, and circumvent all those integrity checks.
The same is true for cryptographic code signing. You can’t just invent a Windows update and distribute it to your closest friends or enemies. Only Microsoft can do that, unless something has gone very wrong. One of the reasons it’s so challenging for anyone other than Microsoft to send updates to your Windows laptop is that the software must have been “signed” by the right creator at the right time. It’s the John Hancock seal and wax of the digital age.
You can see why the stakes are so high, though, for the ancient battles and modern software. Yes someone could sending scrupulous orders or updates, they could organize a coup d’état – or compromise billions of computers. The advantages of code signing are clear, but getting hobbyists, volunteers, and other open source contributors to incorporate it requires a low barrier to entry.
“These are huge issues that put the world’s infrastructure at risk,” says Bob Callaway, a chief architect of the open source software company RedHat. “It’s certainly not a panacea that will solve everything, but it will be a big blow that people will actually get the best practices and cryptographic techniques that have been around for a long time and make releases more secure.”
Sigstore, that is affiliated with the Linux Foundation is currently led by Google, Red Hat and Purdue University, combining two components. First, it coordinates convoluted cryptography for its users; it also gives you the option to literally handle everything for developers who can’t or don’t want to take on the extra work themselves. Using pre-established identifiers such as an email address, or a third-party connection system such as Sign in with Google or Sign in with Facebook, you can quickly begin the cryptographic signature of the code you produce as has been done by you in a certain way. time. Next, Sigstore automatically produces an immutable open source public record of all activities. This provides public accountability for any presentation, and a place to start investigating if something is wrong.