Red Hat and Google, in partnership with Purdue University, founded the Sigstore project aimed at creating tools and services for verifying software using digital signatures and maintaining a public log for authentication (transparency log). Project will be developed under the auspices of the Linux Foundation.
The proposed project will improve the security of software distribution channels and protect against attacks aimed at replacing software components and dependencies (supply chain). One of the key security concerns in open source software is the difficulty of verifying the source of the program and verifying the build process. For example, to check the integrity of a release, most projects use hashes, but often the information necessary for verification is stored on unprotected systems and in shared repositories with code, as a result of compromise of which attackers can replace the files necessary for verification and introduce malicious changes without raising suspicion.
Only a minority of projects use digital signatures when distributing releases due to the complexity of key management, distribution of public keys, and revocation of compromised keys. In order for verification to make sense, it is also required to organize a reliable and secure process for distributing public keys and checksums. Even with a digital signature, many users ignore verification, as it is necessary to spend time studying the verification process and understand which key is trustworthy.
Sigstore is touted as a Let’s Encrypt analogue for code, providing certificates for digitally signing code and tools to automate verification. With Sigstore, developers can digitally sign application-related artifacts such as release files, container images, manifests, and executables. A feature of Sigstore is that the material used for signing is reflected in a public log protected from changes, which can be used for verification and audit.
Instead of constant keys, Sigstore uses short-lived ephemeral keys, which are generated based on credentials confirmed by OpenID Connect providers (at the time the keys are generated for digital signature, the developer’s identity is confirmed by the authentication provider through OpenID). The authenticity of the keys is checked against the public centralized log, which allows you to make sure that the author of the signature is exactly who he claims to be and the signature was formed by the same participant who was responsible for previous releases.
Sigstore provides both a ready-to-use service