Code signing is not a new idea, in fact it’s been around for a long time. Code signing uses cryptographic digital signatures to verify that the software you use is exactly what it claims to be and has not been tampered with in the software supply chain. Code signing is a pretty key security concept, but in practice it has not been widely adopted due to practical challenges. This is changing dramatically by Sigstore, an open source project aiming to enable code signing for everyone.
1. PGP paved the way but it’s time to move on
Pretty Good Privacy (PGP) is probably the most well known code signing mechanism. Based on the OpenPGP, it was developed in 1991 by Phil Zimmermann. Over the years we’ve come to understand all the deficiencies in PGP, captured well in this almost biblical rant. Even the creator of PGP recently admitted it is too hard to use for most users nowadays. Few ecosystems use it, and even when they do, adoption is low.
Nevertheless, PGP laid the early groundwork for future code signing evolution.
2. Managing keys is too painful and insecure
PGP and pretty much all code signing technology before Sigstore rely on managing public/private key pairs. Turns out this is pretty complex to do well. And in practice we have failed at this over, and over again leading to major security breaches and in some cases millions being stolen.
The beauty of Sigstore is that it sidesteps private key management by using only short-lived keys (aka ‘keyless’) and tying signatures to existing, widely-used OpenID Connect (OIDC) identities. Examples of userful OIDC services are Github, Google and Microsoft accounts. In short you can get a signature, tied to your public identity and not have to worry about key loss or theft at all.
3. Sigstore just announced General Availability
Sigstore is really a suite of technologies that work together. It includes Cosign for signing software artifacts, Gitsign for signing Git commits, the Fulcio certificate authority, and the Rekor transparency log. These tools can be used independently or as one single process for a holistic approach to software supply chain security.
In addition to the projects there are community run services for the Rekor transparency log and Fulcio certificate authority. These services were recently declared to be in general availability, meaning that they can be confidently relied on for production grade stable services for signing and verification.
4. Sigstore is the de facto code signing for open source
Thanks to its ease of use, open source projects have quickly started adopting Sigstore. In May, the Kubernetes ecosystem adopted Sigstore in a landmark move. Kubernetes 1.24 became the first release using Sigstore to enable seamless verification of signatures to protect against supply chain attacks across its 5m+ developer community.
A few months later, the Python community adopted Sigstore for signing CPython releases. The new release of Python 3.11 in November was the first new version of Python to be signed with Sigstore by default.
Not to be left far behind, npm recently announced they are actively working to integrate Sigstore, so all npm packages can be reliably linked to their source code and build instructions. In the Java world, Maven also announced their intent to adopt Sigstore as part of the Maven central platform. Sigstore looks set to be the fastest adopted open source project in history. To ease adoption of Sigstore in various ecosystems, Sigstore language clients for Python, Java, Javascript and Ruby are in development. The Sigstore landscape highlights the growing ecosystem.
5. Enterprises are embracing Sigstore
As open source ecosystems rapidly adopt Sigstore, many companies are also adopting Sigstore. From startups such as Edgeless Systems to companies like Autodesk, Bloomberg and Verizon to government facing organizations such as Rancher Government and DoD’s Platform One, Sigstore’s appeal is universal.
One appealing feature of Sigstore to enterprises is that it can provide a seamless and consistent developer experience across both open source and closed source software. Other reasons companies cite as advantages to using Sigstore include:
There is one additional reason that helps make Sigstore a safe bet…
6. Sigstore has a thriving open source community
Powering the Sigstore project is a very active open source community. Sigstore is a project under the Open Source Security Foundation (OpenSSF), a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. OpenSSF has over 100 participating organizations including all the major cloud providers and many academic institutions. Over 70 different organizations contribute to Sigstore and are driving the rapid adoption of Sigstore as it quickly becomes the de facto industry standard. The community recently held its first-ever SigstoreCon, in co-location with KubeCon + CloudNativeCon North America.
7. Sigstore is the first step in your supply chain security journey
According to Sonatype’s 2022 State of the Software Supply Chain Report, supply chain attacks specifically targeting OSS have increased 742% annually over the past 3 years. Securing software supply chains involves tackling many different challenges. To address open source and software supply chain security,OpenSSF outlined a 10-point mobilization plan. One of those goals is for 50 of the top 200 projects to adopt an interoperable approach to software signing with Sigstore. The real benefits of code signing kick in when broad adoptions starts to happen. At Chainguard, we put out a call to standardize on digital signatures for software security with Sigstore.
While code signing alone isn’t enough on its own, it is the first key step that is easy to implement and can bear early dividends. So don’t wait, join everyone in making your plans to adopt Sigstore! And just for some meme fun, check out this helpful LinkedIn thread from Sigstore co-founder and Chainguard CEO Dan Lorenc.
Resources
