VRB News
Virtual Reality Brisbane
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
No Result
View All Result
Home IT news

New code Signing not only for open source code

admin by admin
March 29, 2022
in IT news
0
The open source community is taking the lead in designing a more developer-friendly software signing environment.
0
SHARES
40
VIEWS
Share on FacebookShare on Twitter

With Sigstore for secure software supply chain, new code signing not only for open source code

Signing code that ensures the trustworthiness of software is part of the daily bread for developers – but by no means one of the most popular tasks. Open source communities are therefore driving the development of more uncomplicated software signing environments.

In the race for competitive advantages, companies are increasingly relying on specialized software solutions. As a result, many IT landscapes have become a patchwork of systems from different providers. This state of affairs means an increased risk for information security: more solutions increase the number of dependencies and provide hackers with more points of attack. And since companies rely on deeper integration between systems to optimize performance and productivity, an attack can then spread quickly.

Attacks on the supply chain, in which third-party software is used to infiltrate a company, are now almost commonplace. In 2020, malicious code that was injected into a software update of SolarWinds first spread to US federal authorities, before affecting around 18,000 companies worldwide. In March of this year, more than 20,000 US organizations were compromised by a vulnerability in Microsoft’s Exchange Server. It is not uncommon that the biggest risk comes from actually harmless partners in the supply chain. The attack on the US retail company Target in 2013, one of the largest data leaks in history, was made possible by hacking the partner’s air conditioning software. The issue of security in the value chain is even so topical that it is the subject of a new White House regulation. And it is not only in the USA that the topic is more relevant than ever.

New solutions for new problems?

But not only the risks of attacks on the software supply chain are obvious, but also the promises of new technological achievements. Many companies are confronted with exactly this dichotomy. In everyday life, software developers are often partially faced with a choice: either they strive to comply with the highest security standards, or they get rid of these “inconveniences” and instead focus on their creativity.

One way to reconcile these seemingly contradictory aspirations is to rethink software signing – the process of providing indisputable proof that the software has not been modified or damaged before it was deployed, that is, it is trustworthy.

Traditional methods of signing code use cryptographic keys, for example, to verify the author and the integrity of the contents of a software repository. This means that the developer must generate the keys and then store them securely. Some feel this responsibility is too big and simply no longer sign the code they write, which is bad for security, or write less code, which is bad for innovation. Both have an impact on other developers. A large part of today’s software is developed according to open source principles, where everyone can adopt and adapt the code, the question of origin thus becomes a central issue. This also applies to proprietary software, which is increasingly resorting to open source code.

Shared code, shared responsibility

However, the open source community is now taking the lead in designing a more developer-friendly software signing environment. The project, called sigstore, replaces the persistent keys with ephemeral keys linked to existing identifiers, such as an email address or social media logins. Also, it creates a public and immutable log of all activities. Both essentially relieve the developers of the burden of software signing, so that they can concentrate on their actual tasks. In addition, a system that does not rely on keys that can be stolen or lost is inherently more secure.

The project is developing strongly: since the launch of sigstore in 2019, the founding members Red Hat, Google and Purdue University have joined other organizations. In addition, the project was put under the auspices of the Linux Foundation. The scope has also grown: subprojects such as Cosign (for signing containers and general software artifacts), Rekor (a transparency protocol) and Fulcio (a certification authority) are now independent. In addition, cooperation with other open source initiatives has been started, in particular with Tekton Chains (an offshoot of the Tekton CI/CD project).

In the future, a wider use of sigstore is also conceivable, for example as an integrated feature within a wider range of technologies. With the integration into the existing toolkit of a developer, one of the main goals of the project is always driven forward: the simplification and automation of code signing to the point where it becomes an invisible infrastructure and developers don’t even notice it anymore, let alone have to take care of it.

Previous Post

Kai-ri-Sei Million Arthur VR, available this spring Submitted by the community

Next Post

AMD: “Fallout 4 VR will be the Mario and Sonic of virtual reality”

admin

admin

Related Posts

The Convenience of eSIMs in Travel: A Seamless Journey
IT news

The Convenience of eSIMs in Travel: A Seamless Journey

September 28, 2023
95% of NFTs are no longer worth even $1
IT news

95% of NFTs are no longer worth even $1

September 28, 2023
Everything you need to know about Dubai Palm Islands
IT news

Everything you need to know about Dubai Palm Islands

September 26, 2023
PS Plus: Games coming to Extra and Deluxe levels in September 2023
IT news

PS Plus: Games coming to Extra and Deluxe levels in September 2023

September 22, 2023
Designing high quality signage for businesses
IT news

Designing high quality signage for businesses

September 19, 2023
Next Post
AMD: "Fallout 4 VR will be the Mario and Sonic of virtual reality"

AMD: "Fallout 4 VR will be the Mario and Sonic of virtual reality"

Premium Content

Blog from Word directly to SharePoint

Blog from Word directly to SharePoint

February 14, 2022
the best gaming computers…

the best gaming computers…

February 24, 2022
In use for good pedestrian paths

In use for good pedestrian paths

June 20, 2022

Browse by Category

  • Games
  • IT news
  • Tech
  • World

VRB News is ready to cooperate with webmasters and content creators. Send an email to info@virtualrealitybrisbane.com

Categories

  • Games
  • IT news
  • Tech
  • World

Recent Posts

  • The Convenience of eSIMs in Travel: A Seamless Journey
  • 95% of NFTs are no longer worth even $1
  • Everything you need to know about Dubai Palm Islands

© 2023 - The project has been developed ServReality

No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact

© 2023 - The project has been developed ServReality

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?