Sigstore explained: How it helps secure the software supply chain

Notable incidents such as SolarWinds and Log4j have placed a focus on software supply chain security. They have also sent security teams in search of tools to ensure the integrity of software from third parties. Software use is ubiquitous, with digital platforms now accounting for 60% of GDP per the World Economic Forum (WEF). While the way we use software has and is changing the world, the methods to ensuring the integrity of software sourced from across the ecosystem is lacking. The software supply chain often lacks the use of digital signatures, and when it doesn’t it typically uses traditional digital signing techniques which can be challenging to automate and audit.

Sigstore definition

Enter sigstore. As sigstore co-creator and Chainguard founder Dan Lorenc has put it, sigstore is “a free signing service for software developers that improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.”

Who has adopted sigstore?

It isn’t just the sigstore team who see the value in the proposed technology. Kubernetes announced that it was standardizing on sigstore, using it in its latest 1.24 release. This allows Kubernetes consumers to ensure the distribution they’re using is what is intended. Adding to that endorsement, the Linux Foundation and OpenSSF recently published “The Open Source Software Security Mobilization Plan,” which emphasizes digital signatures to enhance trust in the software supply chain. The proposed approach includes using the sigstore project due to its critical components such as a certificate authority, transparency logs and ecosystem-specific libraries.

How does sigstore work? 

Sigstore is set up to help address some of the existing gaps in the open-source software (OSS) supply chain and how we handle integrity, digital signatures and verifying the authenticity of OSS components. This is critical since 90% of IT leaders are using OSS. Organizations are prioritizing hiring OSS talent, and we’ve seen several notable software supply chain incidents as mentioned above.

Sigstore brings together several OSS tools such as Fulcio, Cosign and Rekor to assist with digital signing, verification and checks of code provenance. Code provenance is the ability to have a chain of custody showing where code originated and from whom. The Uber Privacy and Security team has published an excellent blog post discussing how they approach the path to code provenance.

Unpacking some of the core sigstore components, let’s start with Fulcio. Fulcio is a root certificate authority (CA) that focuses on code signing. It is free and issues certifications tied to OpeID Connect (OIDC) and often uses existing identifiers that developers are already associated with. With the rapid adoption and growth of cloud-native architectures and deployment of containers, signing containers have become a key security best practice.

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: