Npm to Adopt Sigstore for Software Supply Chain Security
Let’s be honest. npm, the JavaScript package manager and default package manager for the JavaScript runtime environment Node.js, needs all the security help it can get. Mend, a leading open source security provider, recently claimed npm was a playground for malicious actors. WhiteSource has a point. And now, Justin Hutchings, GitHub‘s Director of Product Management Security, wants to fix this.
Npm is a GitHub subsidiary, so when Hutchings speaks, npm listens. While Hutching isn’t ordering npm to adopt the Linux Foundation and Open Source Security Foundation (OpenSSF)‘s Sigstore for signing source code, he strongly encourages it.
Advantages of Sigstore
With Sigstore, developers generate ephemeral key pairs for their software, using the Sigstore client. The Sigstore Public Key Infrastructure (PKI) then provides a signing certificate, which is recorded into a certificate transparency log. This is then used to introduce a trusted root to the users’ OpenID accounts. That done, the ephemera keys can be discarded, and the software code has a certificate of trust.
Sigstore’s signatures combined with npm’s other security improvements, such as requiring two-factor authentication, streamlined login, and enhanced signing of artifacts, help secure npm from software supply chain attacks.
Specifically, Hutchings explained, they’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. “When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.”
Historically, this is a pain, so no one did it. It required individual projects to register and manage their own cryptographic keys. If adopted, developers won’t have to worry about that. Instead, by adding support for npm package end-to-end signing with Sigstore, the process is automated. Hutchings added, “This process would include generating attestations about where, when, and how the package was authored so that it can be verified later.”
Dan Lorenc, Sigstore’s curator, and Chainguard CEO and co-founder, told me in an email that Sigstore has become “one of the fastest adopted open source technologies in history because of its developer-friendly method for signing, verifying, and protecting software.”
Sigstore Adoption
Npm isn’t the only one adopting Sigstore to make its code safer. Kubernetes, Python, and Rust developers are all working with Sigstore
Lorenc claims, “Tens of millions of developers are now using software signed with Sigstore, and that has a massive impact on the integrity of all software.” Goodness knows npm needs this. Trustworthy is not a word that comes to mind when developers think about npm today.
Still, as Hutchings concluded, this is only one step. “Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!”
