Red Hat and Google, along with Purdue University recently announced the founding of the Sigstore projectWhose objective is to create tools and services to verify software using digital signatures and maintain a public transparency registry. The project will be developed under the auspices of the Linux Foundation, a non-profit organization.
The proposed project enhance the security of software distribution channels and protect against targeted attacks to replace software components and dependencies (supply chain). One of the key security concerns in open source software is the difficulty of verifying the source of the program and verifying the build process.
For example, to verify the integrity of a version, most projects use hash, But often the information required for authentication is stored in unprotected systems and in shared code repositories, as a result of the compromise of which attackers can replace the files necessary for verification and without arousing suspicion, introduce malicious changes.
Only a minority of projects use digital signatures to distribute releases due to the complexities of key management, the distribution of public keys and the revocation of compromised keys. For verification to make sense, you also need to organize a reliable and secure process for distributing public keys and checksums. Even with a digital signature, many users ignore verification as it takes time to study the verification process and understand which key is trusted.
About Sigstore
Sigstore is promoted as a Let's Encrypt analog for the code, pproviding certificates for digital code signing and tools to automate verification. With Sigstore, developers can digitally sign application-related artifacts such as launch files, container images, manifests, and executables. A feature of Sigstore is that the material used for signing is reflected in a public record protected from changes, which can be used for verification and auditing.
Instead of constant keys, Sigstore uses short-lived ephemeral keys, They are generated based on the credentials confirmed by the OpenID Connect providers (at the time the keys for the digital signature are generated, the developer is identified through the OpenID provider with an email link). The authenticity of the keys is checked against the centralized public record, allowing you to ensure that the author of the signature is exactly who he claims to be and that the signature was formed by the same participant who was responsible for previous versions.
Sigstore provides a ready-to-use service and a set of tools that allow you to implement similar services on your computer. The service is free to all software developers and vendors, and is implemented on a neutral platform: the Linux Foundation. All components of the service are open source, written in the Go language, and are distributed under the Apache 2.0 license.
Of the components that are being developed, it can be noted:
- Rekor: an implementation of a registry to store digitally signed metadata that reflect information about projects. To guarantee integrity and protection against data distortion, the "Tree Merkle" tree structure is used retroactively, where each branch verifies all threads and underlying components, thanks to a hash function.
- Fulcio (SigStore WebPKI) a system for creating certification authorities (Root-CA) that issue short-lived certificates based on authenticated emails through OpenID Connect. The lifetime of the certificate is 20 minutes, during which the developer must have time to generate a digital signature (if in the future the certificate falls into the hands of an attacker, it will expire).
- Сosign (Container Signing) a set of tools to generate signatures in containers, verify signatures and place signed containers in OCI (Open Container Initiative) compliant repositories.
Finally, if you are interested in knowing more about this project, you can consult the details In the following link.