The free signing service Sigstore helps developers to verify and ensure the integrity of open source software. […]
Incidents such as those of SolarWinds and Log4j have put the security of the entire software supply chain at the center of attention. They have also put security teams on the lookout for third-party software integrity tools. The use of software is ubiquitous, because according to the World Economic Forum (WEF), digital platforms now account for 60% of GDP. While the way we use software has changed and continues to change the world, there is a lack of methods to ensure the integrity of software sourced from the entire ecosystem. Digital signatures are often not used in the software supply chain, and if they are, conventional digital signing methods are usually used, which are difficult to automate and check.
Definition of ‘a’
As co-inventor of sigstore and Chainguard founder Dan Lorenc puts it, sigstore is “a free signing service for software developers that improves the security of the software supply chain by enabling the easy introduction of cryptographic software signing supported by transparency protocol technologies.“
Who has already implemented Sigstore?
Not only the Sigstore team sees the value of the proposed technology. Kubernetes announced that it is standardizing sigstore and using it in its latest version 1.24. This allows Kubernetes customers to make sure that the distribution they are using is really the right one. In addition to this endorsement, the Linux Foundation and OpenSSF have recently released the “The Open Source Software Security Mobilization Plan”, which focuses on digital signatures to increase trust in the software supply chain. The proposed approach involves the use of the Sigstore project due to its critical components such as a certification authority, transparency protocols and ecosystem-specific libraries.
How does sigstore work?
Sigstore was founded to close some of the existing gaps in the software supply chain of Open Source Software (OSS) and to show how we deal with integrity, digital signatures and verification of the authenticity of OSS components. This is crucial because 90% of IT executives use OSS. Companies are primarily hiring OSS talent, and we have seen several notable incidents in the software supply chain, as mentioned earlier.
Sigstore combines several OSS tools such as Fulcio, Cosign and Rekor to help with digital signing, verification and verification of code provenance. Code Provenance is the opportunity to provide proof of where the code came from and from whom. Uber’s privacy and security team has published an excellent blog post in which they describe how they are approaching the path to Code Provenance.
Let’s unpack some of the core components of Sigstore and start with Fulcio. Fulcio is a root certificate authority (CA) focused on code signing. It is free and issues certifications tied to OpeID Connect (OIDC), and often uses existing identifiers with which developers are already associated. With the rapid adoption and growth of cloud-native architectures and the use of containers, container signing has become an important security best practice.
Key management is a tedious activity that is often offered as a managed service by cloud service providers (CSPs) or third-party vendors. Sigstore helps mitigate some of this complexity through the way it supports Cosign by facilitating some of the challenges of key management through “keyless signing” using ephemeral or temporary keys. Despite the use of ephemeral keys, you can ensure the validity of signatures through Fulcio’s timestamping service.
This is where Cosign comes in, as it supports signing options and can seamlessly support the generation of key pairs and the signing of container artifacts for storage in a container registry. This allows cloud-native environments to validate the container against a public key and ensure that the container has been signed by a trusted source. Digitally signing image artifacts during creation and validating these signatures is an important security best practice highlighted in the Cloud Native Computing Foundation (CNCF) Cloud Native Security Whitepaper.
Next, it is worth mentioning Rekor, which is an immutable and forgery-proof directory created as part of software maintenance and creation. It enables software users to examine the metadata and make risk-based decisions about the software they use and the activities associated with it throughout the lifecycle. To return to our previous point about Software Provenance: Developers can use Rekor to contribute to the provenance of software via the transparency protocol.
Another notable note is the emerging guidelines such as Supply Chain Levels for Software Artifacts (SLSA) and NIST’s Secure Software Development Framework (SSDF). SLSA Level 3 emphasizes the need to check the source and integrity of the provenance of software, which is supported by sigstore. Specific practices mentioned in the SSDF also indicate the need to provide provenance and verification mechanisms. This is significant because the US federal government is moving to require software vendors selling to the government to comply with the practices described in the SSDF. With the introduction of sigstore, you can position your company in such a way that it adapts to the new standards and best practices discussed here and minimizes critical risks in the software supply chain that could lead to a security risk and the associated consequences.
What does the future of sigstore look like?
We are only at the beginning of the acquisition of the Sigstore project by the market. However, with the support of leading OSS projects such as Kubernetes and the OSS Security Mobilization Plan from The Linux Foundation and OpenSSF, the future looks promising.
With the proliferation of OSS and companies striving to improve their software supply chain practices, Sigstore represents an important opportunity for the ecosystem to cover key areas around digital signatures, authenticity and integrity. Risk management is all about making informed decisions, and robust details about the provenance of software artifacts and the people involved in their creation and distribution are crucial. This is where the sigstore project shines and will probably continue to experience rapid acceptance throughout the business world.
*Chris Hughes is currently CISO and Co-founder of Aquia. Chris Hughes has almost 20 years of experience in the field of IT/cybersecurity. He has served on active duty in the U.S. Air Force, as an official in the U.S. Navy and the General Services Administration (GSA)/FedRAMP, and as a consultant in the private sector. In addition, he is a lecturer for master’s programs in cybersecurity at Capitol Technology University and the University of Maryland Global Campus.