Need to Sign Your Code and Haven’t a Clue? Sigstore Can Help
Sigstore, the open source software signing service, is now available to everyone that needs to prove to a customer what’s what in their code. Which, by the way, is pretty much every commercial software developer on the planet.
Some good has come out of the Log4j vulnerability and SolarWinds disaster. No, seriously. It forced us to realize we had to really secure our software source code, supply chain security. Now the Open Source Security Foundation (OpenSSF)‘s Sigstore service is available for every programmer who needs it. That’s all of us.
Government Intervention
You see, the Biden administration has issued an executive order to improve software supply chain security. You can’t ignore building security into your software. Indeed, once the bipartisan Securing Open Source Software Act is passed, it may literally be the law.
So, since many of us don’t have a clue how to go about signing our software artifacts, the public release of Sigstore 1.0 couldn’t have come at a better time.
Sigstore is a free, open source software signing service. It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. This gives software artifacts a safer chain of custody that can be secured and traced back to their source.
Key Features
It also has numerous other useful features. These include:
- Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.
- Sigstore’s public transparency log (Rekor) and APIs mean consumers can easily verify signed artifacts.
- Thanks to Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), it can integrate seamlessly with other tools and services.
Available Services
Sigstore has also announced the general availability (GA) for the Rekor transparency log and Fulcio certificate authority public benefit services. According to Priya Wadhwa, a Sigstore Technical Steering Committee member, both the Rekor and Fulcio APIs are stable and will be supported for the long term.
Wadhwa continued, “Sigstore has also set up a status page where users can check on the availability of these services. The community will continue to operate the service with a 99.5% uptime Service Level Objective (SLO) and round-the-clock pager support. This was possible thanks to the dedicated, multivendor Sigstore open source community, who fixed major bugs and added key features in both services over the past few months. A third-party security audit was also conducted to catch any potential vulnerabilities, and all findings have been addressed.
Made for Developers
In an interview at KubeCon North America in Detroit, Chainguard CEO and Sigstore co-creator Dan Lorenc explained that in practice, explained that while “there are rate limits in place, mostly just to prevent denial of service attacks and that kind of thing, they’re pretty generous.” In other words, developers shouldn’t have trouble using Sigstore.
Even in beta, Sigstore has proven its worth. So far, over four million signatures have been logged using Sigstore. Two of the world’s largest open source communities, Kubernetes and Python, have adopted Sigstore’s wax seal of authenticity by signing their production releases with Sigstore. Most recently, npm has been actively working to integrate Sigstore,
Because of Sigstore, Brian Behlendorf, OpenSSF’s General Manager, said,
“Signatures on software components are an essential part of securing the global software supply chain. Before Sigstore, only the last mile to the consumer was well secured. Now we can be assured of the integrity of the upstream components we depend upon with an easy-to-use toolkit and service. Kudos to the Sigstore developers, advocates, and other contributors for getting not just to 1.0 but already to widespread implementation and impact.”
The result? Wadhwa claims, “Sigstore has rapidly become the standard for signing, verifying, and protecting software, so it’s great to announce the general availability to remove one last barrier for more widespread adoption during a time when software supply chain security is more important than ever.”
I agree with her. Sigstore is well on its way to becoming the signing standard. And the fact that it’s open source and available as a service only makes it more compelling. In a world that desperately needs secure software, Sigstrore 1.0 has come at just the right time.
