"A New Tool Wants to Save Open Source From Supply Chain Attacks"
The NotPetya malware attack and the recent SolarWinds cyberespionage campaign both present real-world examples of software supply chain attacks in which a hacker slips malicious code into legitimate, widely used software. Supply chain security has become more important than ever as more software supply chain attacks emerge. The Sigstore platform, which is affiliated with the Linux Foundation and led by Google, Purdue University, and Red Hat, was developed in hopes of encouraging the adoption of code signing, an important practice for protecting software supply chains but is often overlooked by popular and widely used open-source software. Open-source developers do not always have the resources, time, or expertise to implement code signing with other nonnegotiable components required for their code to run. Software developers can use the Sigstore service to digitally sign their releases and other software artifacts, improving the security of the open-source software supply chain. Sigstore can coordinate complicated cryptography for its users. The service offers the option to let it handle everything for those developers who are unable or do not want to take on the extra work themselves. Developers can immediately start cryptographically signing their code as having been made by them at a specific time, using established, preexisting identifiers such as an email address or a third-party sign-in system like Sign In With Google or Sign In With Facebook. Sigstore also automatically produces a public, unchangeable open-source log of all activity, thus providing public accountability of every single submission as well as a place to investigate if something goes wrong. This article continues to discuss the importance of code signing for protecting software supply chains, why developers often overlook this practice, how the Sigstore tool encourages the adoption of code signing, and why open-source security is complicated.
Wired reports "A New Tool Wants to Save Open Source From Supply Chain Attacks"