Sigstore aims to close the trust gap in open-source software
One of the great virtues of open-source software – which is that anyone can contribute – is also one of its greatest weaknesses.
The issue is that supply-chainlike process by which projects involving multiple contributors come together is based to a large degree on faith that no one will introduce malicious code or backdoors that sabotage a project.
As open source has increasingly worked its way into commercial and enterprise applications, however, some people see the reliance on trust as a vulnerability. Kim Lewandowski and Dan Lorenc of Google LLC’s open-source security team recently noted that the process of installing most open-source software today “is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine.”
Software supply-chain attacks have been growing in frequency and sophistication. The European Union Agency for Cybersecurity expected the number of supply chain attacks to quadruple this year. A 2020 GitHub Inc. study said that the average software project now has more than 200 open-source dependencies.
Last year’s massive SolarWinds Worldwide LLC breach was essentially an attack on the software supply chain. In 2018 AO Kaspersky Lab said it had uncovered a new type of spyware that infects smartphones and that was distributed through landing pages designed to mimic mobile carrier websites. Late last year researchers discovered an attack originating with “trojanized” software updates to a SolarWinds monitoring application. And last spring, cyber security firm Rapid7 Inc. said it had been the victim of a supply chain breach originating with its use of software from an auditing company.
“The problem with supply chains is that no two look the same and there’s no trust around who’s getting what from whom,” said Luke Hinds, a security engineering lead at Red Hat Inc.
Hinds and a team of developers at Red Hat, Google, the Linux Foundation and Purdue University recently teamed up on an open-source solution. Sigstore, which is being curated under the wing of the Linux Foundation, is an automated approach to digitally signing and checking software components to verify origins and authenticity. It’s free, open and nearly impossible to sabotage, developers say.
“In a lot of ways this has been the right project at the right time,” Hinds said. “We started right as a lot of high-profile attacks occurred.”
The project combines multiple open-source technologies such as the Fulcio root certificate authority, Cosign for signing and verification of software containers and Rekor for secure and transparent supply chain management into a single resource that handles digital signing, verification and provenance checks. The goal is to verify the origins of software to make it safer for developers to adopt open-source components. Sigstore provides free software certifications without the need to manage keys, which many developers shy away from using out of fear that keys will be lost.
“People know keys improve their posture but it creates a lot of responsibility,” Hinds said. “What happens if the developer gets hit by a bus?”
The Sigstore code will be unencrypted, Hinds said, “but when it’s packaged it will be signed so when you receive that package it will be fixed to an identity. You have trust establishing that it’s tamper-free.”
The security scheme uses OpenID Connect, a simple identity layer on top of the widely used OAuth protocol that many website operators used to enable secure logins through credentials verified by a third party.
“All we ask is your email address,” Hinds said. “We request the identity from the provider and give you a challenge that fixes a key pair to an identity. We also use a transparency log, which is similar to a blockchain ledger, that can be audited but not changed.” Lost keys are not a problem because “we had that snapshot in time,” he said.
The development process has been transparent. Sigstore has its own root certificate authority that was created on a live stream with participants from industry and academia who put keys together to create a master file “like Ghostbusters crossing streams,” Hinds said. “We bootstrapped a certificate authority in the open with live questions and answers to verify authenticity.”
While Sigstore can be used to sign any asset digitally, Hinds said, “I don’t think we’ll put a lot of cryptographic companies out of business. We’re going more for the open-source community.” The service is currently in public beta test and developers hope to launch a mature version with full guarantees by the end of the year.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.