Everything starts from somewhere, and software is no different - just as physical goods have a point of origin and an associated supply chain, so does code. In today’s world, the origin story for most software applications starts, at least partially if not entirely, in an open source community. So how do you secure a supply chain for a product that has no physical form, no box to lock and is created in an environment where anyone can contribute to it?
This is the goal of sigstore, an open source project originally conceived and prototyped at Red Hat and now under the auspices of the Linux Foundation with backing from Red Hat, Google and other IT leaders. Sigstore offers a method to better secure software supply chains in an open, transparent and accessible manner. The need for a project like sigstore is underscored by the recent attacks and breaches of critical digital infrastructure, both in North America and globally, leading to a U.S. presidential executive order aimed at furthering software supply chain security.
So why do we need something like sigstore, exactly? And what does sigstore do that existing technologies, built to certify and sign digital technologies, don’t?
The inaccessibility of digital signing
The answer to securing software supply chains lies in digitally-signing the various artifacts that comprise applications, from binaries and containers to aggregated files (like tarballs) and software-bills-of-materials (SBOM). Digital signatures effectively “freeze” an object in time, indicating that in its current state it is verified to be what it says it is and that it hasn’t been altered in any way. This is great for developers who are pulling lots of various code and projects into more complicated workloads...or it would be if the process was better equipped to handle open source.
Many digital signing solutions are good at what they do, but they’re expensive and don’t fit the model of open source’s innovation engine. These two things alone would be an issue, but there’s also the matter of who holds the private key - this is exactly what it sounds like and is essentially the identification that says code came from a specific given source. In open communities, where tons of people contribute, is everyone supposed to hold a private key? Just the community leads (if they exist)? The sponsor?
This is the challenge facing the software supply chain, especially in open source: budgets are small to non-existent for digital signing tools, the software itself is changing frequently and there’s the management and securing of private keys over the life of the project’s existence.
Enter sigstore!
Digital signing made for everyone
Sigstore aims to make software signing ubiquitous, in much the same way that Let’s Encrypt made X.509 certificates for Transport Layer Security (TLS) commonplace. Before Let’s Encrypt, you may have only seen HTTPS in your address bar for e-commerce sites; now, given how accessible the certificates are, nearly every site runs HTTPS and is, by definition, more secure. This is the model that sigstore wants to follow.
Sigstore is intended to make cryptographic signing easier - cryptography is a specialized skill, and one that the bulk of developers aren’t deeply familiar with. Sigstore removes this burden and makes it accessible by enabling developers to use an email address via the OpenID connect protocol as a preexisting identifier to sign their code. The project also produces an open but immutable activity log for accountability.
To fully offer all of these capabilities and become a widely-used, free service, we need to establish trust - literally. Trust is the root (ha!) of digital security, whether it’s web certificates or code. Without this trust, sigstore can’t be counted on by other authorities or services to accurately show that an individual is who they say they are and that the produced software is what it claims to be.
So now we’re working to establish the Sigstore Trust Root, an effort that was kicked off by a public Key Signing party. Five community members, one of which I am honored to be, created cryptographic keys on a community livestream, which were then published to a GitHub repository and verified live by viewers. This is the foundation of the Trust Root for sigstore, and as part of our commitment to transparency and openness, the Key Holder roles will rotate through the community as we grow.
What’s next
Sigstore is still building up, along with the subprojects Rekor (a timestamping service and transparency log) and Fulcio, a free code-signing certificate authority, but we have big plans. Beyond growing the community, we’re working with the Linux Foundation to stand up a fully-staffed public service. Finally, from a Red Hat perspective, we’re exploring how to build the capabilities of sigstore into Red Hat OpenShift, via container tools and Red Hat Advanced Cluster Management for Kubernetes as a way to bring integrated and open software signing into existing application workflows.
The need for free and open digital code signing is only expected to grow. As has been said many times, every company is now a software company - this means that code isn’t just running our laptop and phones. It’s the engine behind global financial systems, healthcare advancements, modern cars and more. Even our food supply, from the tractors harvesting crops to the trucks transporting goods, is now rooted in applications and technology. Sigstore aims to make code signing as accessible and broadly available as software itself. I encourage you to check out sigstore for yourself and see where we hope to take the next generation of code security!
저자 소개
Luke Hinds has been with Red Hat since 2016 and is currently a Distinguished Engineer in the office of the CTO.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.