TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Security / Software Development

Npm to Adopt Sigstore for Software Supply Chain Security

GitHub is planning to adopt the Sigstore tool for signing and verifying npm packages -- a move that will significantly improve software supply chain security.
Aug 10th, 2022 7:55am by
Featued image for: Npm to Adopt Sigstore for Software Supply Chain Security
Featured image by Scott Graham on Unsplash.

Let’s be honest. npm, the JavaScript package manager and default package manager for the JavaScript runtime environment Node.js, needs all the security help it can get. Mend, a leading open source security provider, recently claimed npm was a playground for malicious actors. WhiteSource has a point. And now, Justin Hutchings, GitHub‘s Director of Product Management Security, wants to fix this.

Npm is a GitHub subsidiary, so when Hutchings speaks, npm listens. While Hutching isn’t ordering npm to adopt the Linux Foundation and Open Source Security Foundation (OpenSSF)‘s Sigstore for signing source code, he strongly encourages it.

Advantages of Sigstore

With Sigstore, developers generate ephemeral key pairs for their software, using the Sigstore client. The Sigstore Public Key Infrastructure (PKI) then provides a signing certificate, which is recorded into a certificate transparency log. This is then used to introduce a trusted root to the users’ OpenID accounts. That done, the ephemera keys can be discarded, and the software code has a certificate of trust.

Sigstore’s signatures combined with npm’s other security improvements, such as requiring two-factor authentication, streamlined login, and enhanced signing of artifacts, help secure npm from software supply chain attacks.

Specifically, Hutchings explained, they’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. “When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.”

Historically, this is a pain, so no one did it. It required individual projects to register and manage their own cryptographic keys. If adopted, developers won’t have to worry about that. Instead, by adding support for npm package end-to-end signing with Sigstore, the process is automated. Hutchings added, “This process would include generating attestations about where, when, and how the package was authored so that it can be verified later.”

Dan Lorenc, Sigstore’s curator, and Chainguard CEO and co-founder, told me in an email that Sigstore has become “one of the fastest adopted open source technologies in history because of its developer-friendly method for signing, verifying, and protecting software.”

Sigstore Adoption

Npm isn’t the only one adopting Sigstore to make its code safer. Kubernetes, Python, and Rust developers are all working with Sigstore

Lorenc claims, “Tens of millions of developers are now using software signed with Sigstore, and that has a massive impact on the integrity of all software.” Goodness knows npm needs this. Trustworthy is not a word that comes to mind when developers think about npm today.

Still, as Hutchings concluded, this is only one step. “Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!”

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.