Google, Linux Foundation, Red Hat release free tool to secure software supply chains

A coalition of Google, the Linux Foundation, Purdue University, and Red Hat launched a new project this week aimed at helping companies secure their software.

Named Sigstore, this new tool will provide the infrastructure for developers to cryptographically sign software releases, container images, or binaries and then save signing proof in public and auditable logs.

The Sigstore service will be available for free for everyone via its official website, and its source code will be available for bug reports, feature requests, and security audits on GitHub. The project is still in its early phases.

Google: Let's Encrypt for Code Signing

In a blog post yesterday, Google described the new project as "Let's Encrypt for Code Signing."

The Linux Foundation, which is formally hosting and shepherding the project, said Sigstore was created to address the problem of software supply chain security.

Over the past years, there's been a rising number of incidents where threat actors compromised legitimate software/libraries and inserted malicious code that they later used to compromise companies or end-consumers who relied on products built around those tools or libraries.

Because most open-source projects don't cryptographically sign their releases, downstream users can't reliably verify if or when the original project's releases have been tampered with.

The idea behind Sigstore is to provide a free solution for signing software releases, a type of infrastructure that many open-source projects don't have the financial resources to set up or run on their own.

"I am very excited about the prospects of a system like sigstore," said Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue / in-toto project founder.

"The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation," Torres-Arias added.

Honestly, something like this has been inevitable for a while:

"Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code."https://t.co/aNVm19Z3y4

— Brian in Pittsburgh (@arekfurt) March 10, 2021