Google has teamed up with the Linux community on a new project that aims to make open source software more secure through easy code signing and verification.
The project – dubbed ‘sigstore’ – is spearheaded by the Linux Foundation and aims to use digital signature technology to ensure supply chain integrity and defend against software supply chain attacks.
In a blog post, Google cites the recent run of so-called ‘dependency confusion’ attacks and the abuse of malicious RubyGems packages to steal cryptocurrency as examples of the kinds of attacks that sigstore is gearing up to frustrate.
Described as a ‘Let’s Encrypt for code signing’, sigstore is designed to make it straightforward for developers to sign software releases and for users to verify them. The service will be free to use.
Chain of trust
Let’s Encrypt provides free SSL certificates and automation tooling for websites to run on HTTPS. In a similar manner, sigstore provides free certificates and tooling to automate and verify signatures of source code. The approach is backed by transparency logs.
Without such tooling and checks, the software supply chain will continue to be riddled with contamination and malfeasance, according to Google.
“Installing most open source software today is equivalent to picking up a random thumb drive off the sidewalk and plugging it into your machine. To address this, we need to make it possible to verify the provenance of all software – including open source packages,” explains the blog post.
Since long-term key management is hard, sigstore is based on short-lived certificates based on OpenID Connect grants.
To get around key distribution problems, sigstore is designed around a Root CA (certificate authority) for code signing.
Transparency Logs, backed by Trillian, offer a built-in fallback mechanism that will allow the system to detect and recover from any compromise.
A statement by the Linux Foundation explains: “sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log.”
Work in progress
Although still in its early days, working prototypes of the technology have been developed by software engineers from Google, Linux distributor Red Hat, and the wider open source community.
The Linux Foundation was heavily involved with the project. The overall design of sigstore was put together by start-up vendor Smallstep.
Other developers and partners are encouraged to get involved with plans to further develop the project by hardening the system, adding support for other OpenID Connect providers, and more.
Early reaction to the project has largely been favorable.
Maya Kaczorowski, a program manager for software supply chain security at GitHub, commented on Twitter: “This is a huge step in the right direction of what we need for software supply chain security.”
Others, however, struck a note of caution by alluding to the possibility that cybercriminals or worse will abuse the technology for their own nefarious purposes.
The Daily Swig approached representatives of the Linux Foundation for comment on that point. We’ll update this story as and when more information comes to hand.
Source: https://portswigger.net/daily-swig/linux-community-project-aims-to-tackle-dependency-confusion-attacks-with-easy-code-signing-verification
