Linux Foundation Creates New Code Signing Solution
In partnership with Red Hat, Google, and Purdue University, the Linux Foundation has created a service it hopes will help to create a new standardization for software supply chain security. The new service, called sigstore, will enable all open-source projects to be signed to ensure provenance, integrity, and discoverability. This service will go a long way to create a transparent and auditable software supply chain.
The sigstore will provide free certificates and all the necessary tools for the automation and verification of source code signature. To make this even more appealing to developers, the only information required to use the service will be an OpenID Connect grant, which means sigstore will not access a developer's sensitive data (such as contacts, cloud accounts, and calendars).
There are numerous reasons why sigstore was created. The most important factor, however, is that open-source makes use of numerous dependencies, from numerous suppliers. The ability to trust all of the moving parts that go into a single project is tantamount to business security. With a project signed by sigstore, developers and companies know they can trust the applications and frameworks they intend to use and deploy.
To that matter, Josh Aas, Executive Directory, ISRG Let's Encrypt, said, "Securing a software deployment ought to start with making sure we're running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open-source software supply chain."
Find out more about sigstore on the official Linux Foundation blog.