VRB News
Virtual Reality Brisbane
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
No Result
View All Result
Home IT news

New code Signing not only for open source code

admin by admin
March 29, 2022
in IT news
0
The open source community is taking the lead in designing a more developer-friendly software signing environment.
0
SHARES
20
VIEWS
Share on FacebookShare on Twitter

With Sigstore for secure software supply chain, new code signing not only for open source code

Signing code that ensures the trustworthiness of software is part of the daily bread for developers – but by no means one of the most popular tasks. Open source communities are therefore driving the development of more uncomplicated software signing environments.

In the race for competitive advantages, companies are increasingly relying on specialized software solutions. As a result, many IT landscapes have become a patchwork of systems from different providers. This state of affairs means an increased risk for information security: more solutions increase the number of dependencies and provide hackers with more points of attack. And since companies rely on deeper integration between systems to optimize performance and productivity, an attack can then spread quickly.

Attacks on the supply chain, in which third-party software is used to infiltrate a company, are now almost commonplace. In 2020, malicious code that was injected into a software update of SolarWinds first spread to US federal authorities, before affecting around 18,000 companies worldwide. In March of this year, more than 20,000 US organizations were compromised by a vulnerability in Microsoft’s Exchange Server. It is not uncommon that the biggest risk comes from actually harmless partners in the supply chain. The attack on the US retail company Target in 2013, one of the largest data leaks in history, was made possible by hacking the partner’s air conditioning software. The issue of security in the value chain is even so topical that it is the subject of a new White House regulation. And it is not only in the USA that the topic is more relevant than ever.

New solutions for new problems?

But not only the risks of attacks on the software supply chain are obvious, but also the promises of new technological achievements. Many companies are confronted with exactly this dichotomy. In everyday life, software developers are often partially faced with a choice: either they strive to comply with the highest security standards, or they get rid of these “inconveniences” and instead focus on their creativity.

One way to reconcile these seemingly contradictory aspirations is to rethink software signing – the process of providing indisputable proof that the software has not been modified or damaged before it was deployed, that is, it is trustworthy.

Traditional methods of signing code use cryptographic keys, for example, to verify the author and the integrity of the contents of a software repository. This means that the developer must generate the keys and then store them securely. Some feel this responsibility is too big and simply no longer sign the code they write, which is bad for security, or write less code, which is bad for innovation. Both have an impact on other developers. A large part of today’s software is developed according to open source principles, where everyone can adopt and adapt the code, the question of origin thus becomes a central issue. This also applies to proprietary software, which is increasingly resorting to open source code.

Shared code, shared responsibility

However, the open source community is now taking the lead in designing a more developer-friendly software signing environment. The project, called sigstore, replaces the persistent keys with ephemeral keys linked to existing identifiers, such as an email address or social media logins. Also, it creates a public and immutable log of all activities. Both essentially relieve the developers of the burden of software signing, so that they can concentrate on their actual tasks. In addition, a system that does not rely on keys that can be stolen or lost is inherently more secure.

The project is developing strongly: since the launch of sigstore in 2019, the founding members Red Hat, Google and Purdue University have joined other organizations. In addition, the project was put under the auspices of the Linux Foundation. The scope has also grown: subprojects such as Cosign (for signing containers and general software artifacts), Rekor (a transparency protocol) and Fulcio (a certification authority) are now independent. In addition, cooperation with other open source initiatives has been started, in particular with Tekton Chains (an offshoot of the Tekton CI/CD project).

In the future, a wider use of sigstore is also conceivable, for example as an integrated feature within a wider range of technologies. With the integration into the existing toolkit of a developer, one of the main goals of the project is always driven forward: the simplification and automation of code signing to the point where it becomes an invisible infrastructure and developers don’t even notice it anymore, let alone have to take care of it.

Previous Post

Kai-ri-Sei Million Arthur VR, available this spring Submitted by the community

Next Post

AMD: “Fallout 4 VR will be the Mario and Sonic of virtual reality”

admin

admin

Related Posts

Gamer’s Week 2023: Know all the promotions on Amazon Mexico
IT news

Gamer’s Week 2023: Know all the promotions on Amazon Mexico

February 6, 2023
ChatGPT gets paid version with subscription model
IT news

ChatGPT gets paid version with subscription model

February 2, 2023
When is the HOT SALE 2023 in Mexico?
IT news

When is the HOT SALE 2023 in Mexico?

January 31, 2023
Dedicated Servers
IT news

The advantages of dedicated servers: cost, performance, security

January 27, 2023
Different types of proxies and their benefits for online security
IT news

Different types of proxies and their benefits for online security

January 27, 2023
Next Post
AMD: "Fallout 4 VR will be the Mario and Sonic of virtual reality"

AMD: "Fallout 4 VR will be the Mario and Sonic of virtual reality"

Premium Content

Wearality allows you to buy the lenses loose

Wearality allows you to buy the lenses loose

June 24, 2022
Backup your Windows or Office license

Backup your Windows or Office license

February 6, 2022
Rhythm Of The Universe: Ionia — VR-game in the fantasy genre

Rhythm Of The Universe: Ionia — VR-game in the fantasy genre

October 11, 2020

Browse by Category

  • Games
  • IT news
  • Tech
  • World

VRB News is ready to cooperate with webmasters and content creators. Send an email to info@virtualrealitybrisbane.com

Categories

  • Games
  • IT news
  • Tech
  • World

Recent Posts

  • Gamer’s Week 2023: Know all the promotions on Amazon Mexico
  • ChatGPT gets paid version with subscription model
  • When is the HOT SALE 2023 in Mexico?

© 2021 - The project has been developed ServReality

No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact

© 2021 - The project has been developed ServReality

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?