"New Free Software Signing Service Aims to Strengthen Open-Source Ecosystem"

The Linux Foundation has launched a new service called "sigstore." The service was developed in collaboration with Red Hat, Google, and Purdue University. Software developers can use this service to digitally sign their releases and other software artifacts, enhancing the security of the open-source software supply chain. All signatures will be stored in a public log that is tamper-resistant and monitored for potential abuse. Sigstore ties certificates to identities through the use of the OpenID authentication protocol. Therefore, a developer can sign their software using their email address or account with an existing OpenID identity provider. Traditional code signing requires obtaining a certificate from a certificate authority (CA) trusted by the maintainers of a specific software ecosystem. In order to obtain a traditional code signing certificate, special procedures must be performed, including identity verification or joining a developer program. This article continues to discuss how sigstore works, how its process is different from traditional code signing, and the importance of signing software releases.

CSO Online reports "New Free Software Signing Service Aims to Strengthen Open-Source Ecosystem"