With Sigstore for secure software supply chain, new code signing not only for open source code
Signing code that ensures the trustworthiness of software is part of the daily bread for developers – but by no means one of the most popular tasks. Open source communities are therefore driving the development of more uncomplicated software signing environments.
In the race for competitive advantages, companies are increasingly relying on specialized software solutions. As a result, many IT landscapes have become a patchwork of systems from different providers. This state of affairs means an increased risk for information security: more solutions increase the number of dependencies and provide hackers with more points of attack. And since companies rely on deeper integration between systems to optimize performance and productivity, an attack can then spread quickly.
Attacks on the supply chain, in which third-party software is used to infiltrate a company, are now almost commonplace. In 2020, malicious code that was injected into a software update of SolarWinds first spread to US federal authorities, before affecting around 18,000 companies worldwide. In March of this year, more than 20,000 US organizations were compromised by a vulnerability in Microsoft’s Exchange Server. It is not uncommon that the biggest risk comes from actually harmless partners in the supply chain. The attack on the US retail company Target in 2013, one of the largest data leaks in history, was made possible by hacking the partner’s air conditioning software. The issue of security in the value chain is even so topical that it is the subject of a new White House regulation. And it is not only in the USA that the topic is more relevant than ever.
New solutions for new problems?
But not only the risks of attacks on the software supply chain are obvious, but also the promises of new technological achievements. Many companies are confronted with exactly this dichotomy. In everyday life, software developers are often partially faced with a choice: either they strive to comply with the highest security standards, or they get rid of these “inconveniences” and instead focus on their creativity.
One way to reconcile these seemingly contradictory aspirations is to rethink software signing – the process of providing indisputable proof that the software has not been modified or damaged before it was deployed, that is, it is trustworthy.
Traditional methods of signing code use cryptographic keys, for example, to verify the author and the integrity of the contents of a software repository. This means that the developer must generate the keys and then store them securely. Some feel this responsibility is too big and simply no longer sign the code they write, which is bad for security, or write less code, which is bad for innovation. Both have an impact on other developers. A large part of today’s software is developed according to open source principles, where everyone can adopt and adapt the code, the question of origin thus becomes a central issue. This also applies to proprietary software, which is increasingly resorting to open source code.
Shared code, shared responsibility
However, the open source community is now taking the lead in designing a more developer-friendly software signing environment. The project, called sigstore, replaces the persistent keys with ephemeral keys linked to existing identifiers, such as an email address or social media logins. Also, it creates a public and immutable log of all activities. Both essentially relieve the developers of the burden of software signing, so that they can concentrate on their actual tasks. In addition, a system that does not rely on keys that can be stolen or lost is inherently more secure.
The project is developing strongly: since the launch of sigstore in 2019, the founding members Red Hat, Google and Purdue University have joined other organizations. In addition, the project was put under the auspices of the Linux Foundation. The scope has also grown: subprojects such as Cosign (for signing containers and general software artifacts), Rekor (a transparency protocol) and Fulcio (a certification authority) are now independent. In addition, cooperation with other open source initiatives has been started, in particular with Tekton Chains (an offshoot of the Tekton CI/CD project).
In the future, a wider use of sigstore is also conceivable, for example as an integrated feature within a wider range of technologies. With the integration into the existing toolkit of a developer, one of the main goals of the project is always driven forward: the simplification and automation of code signing to the point where it becomes an invisible infrastructure and developers don’t even notice it anymore, let alone have to take care of it.