The open-source technology allows users to verify the reliability of software components. Sigstore is used by the developers of giant projects like Kubernetes and Python. The free technology was recently made generally available.
Software supply chain security is a growing problem. Vulnerabilities in libraries, development tools and other artifacts allow cybercriminals to attack organizations at scale. Log4Shell and the attack on SolarWinds are prime examples.
In late 2021, researchers revealed a critical vulnerability in Log4j, a popular library for Java. The library is used in the software of numerous organizations, but no one seemed to know exactly where. Some companies were attacked because they overlooked the library. Other companies suffered downtime damage by shutting down unnecessary systems as a precaution.
The problem was a lack of understanding of software provenance. The average application consists of a jumble of reused components. The origin is rarely clear. Sigstore solves the issue. The open-source technology allows users to verify the origin of software. Sigstore was recently made available as a free service.
The idea is simple. You write a piece of code and press a button, after which Sigstore signs the code. The signature indicates who changed the code, when the code was changed and how the code was changed. Sigstore stores the encrypted signature securely.
When sharing the code with someone, he or she can review the signature. This way, the recipient knows where the code came from. If the recipient processes the code in their own software project, the signature remains intact. When the recipient shares their own software project with someone else, the recipient can review what the software project consists of.
In practice, Sigstore is a bit more complex. The project consists of several open-source tools, each with a proprietary task. Cosign helps host a signature registry, Rektor generates a log of events, and so on. Together, the tools create the streamlined process mentioned above.
Sigstore is designed for open-source communities. The technology is used at scale by the developers of Kubernetes and Python.
Ultimately, Sigstore makes it possible to trust a software project’s code at a glance. Cybercriminals have no way to silently push malicious changes. If you want to know where an application’s components came from, you consult the signature and go on your way.
Sigstore is now generally available. The open-source project is based on contributions from major players like Google, GitHub, Chainguard and Red Hat.