Linux Foundation is making it easier to verify the authenticity of software
New service will be free to use for everyone
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
In a bid to secure theopen source softwaresupply chain, the Linux Foundation, together with Red Hat,Google, and Purdue University have combined to launch a new project to help developers cryptographically sign their software.
Considering the constant increase in the rate of industrial adoption of open source software, the project, calledsigstore, aims to prevent an attack on a public software repository from injecting tainted code in the supply chain.
“sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.
Supply chain security
Arguing that the modern software supply chain is exposed to multiple risks, the project says the existing toolset, which involves people meeting in person to sign each other’s keys, which has worked well for so long, isn’t anymore feasible in the current environment with geographically dispersedremote teams.
Now throw in the complexities of key management, revocation, public key distribution and artifact digests, and you end up in a situation where many open source projects choose not to sign their release in order to avoid the overhead.
To overcome this, sigstore pitches itself as “a free to use, non-profit software signing service that harnesses existing technologies of x509 PKI and transparency logs.” The new service will help developers and users understand and confirm the origin and authenticity of software, with minimum overhead.
It should be noted that the recentSolarWinds attackswere one of the most widespread and devastating examples of a supply chain attack.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Securing a software deployment ought to start with making sure we’re running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain,” said Josh Aas, executive director of the non-profitSSL certificateauthority, Let’s Encrypt.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
