Home
Unchained
Open Source Blog

7 reasons you should plan to adopt Sigstore in 2023

Tracy Miranda, Head of Open Source

Code signing is not a new idea, in fact it’s been around for a long time. Code signing uses cryptographic digital signatures to verify that the software you use is exactly what it claims to be and has not been tampered with in the software supply chain. Code signing is a pretty key security concept, but in practice it has not been widely adopted due to practical challenges. This is changing dramatically by Sigstore, an open source project aiming to enable code signing for everyone.

1. PGP paved the way but it’s time to move on

Pretty Good Privacy (PGP) is probably the most well known code signing mechanism. Based on the OpenPGP, it was developed in 1991 by Phil Zimmermann. Over the years we’ve come to understand all the deficiencies in PGP, captured well in this almost biblical rant. Even the creator of PGP recently admitted it is too hard to use for most users nowadays. Few ecosystems use it, and even when they do, adoption is low.

Nevertheless, PGP laid the early groundwork for future code signing evolution.

2. Managing keys is too painful and insecure

PGP and pretty much all code signing technology before Sigstore rely on managing public/private key pairs. Turns out this is pretty complex to do well. And in practice we have failed at this over, and over again leading to major security breaches and in some cases millions being stolen.

The beauty of Sigstore is that it sidesteps private key management by using only short-lived keys (aka ‘keyless’) and tying signatures to existing, widely-used OpenID Connect (OIDC) identities. Examples of userful OIDC services are Github, Google and Microsoft accounts. In short you can get a signature, tied to your public identity and not have to worry about key loss or theft at all.

3. Sigstore just announced General Availability

Sigstore is really a suite of technologies that work together. It includes Cosign for signing software artifacts, Gitsign for signing Git commits, the Fulcio certificate authority, and the Rekor transparency log. These tools can be used independently or as one single process for a holistic approach to software supply chain security.

In addition to the projects there are community run services for the Rekor transparency log and Fulcio certificate authority. These services were recently declared to be in general availability, meaning that they can be confidently relied on for production grade stable services for signing and verification.

4. Sigstore is the de facto code signing for open source

Thanks to its ease of use, open source projects have quickly started adopting Sigstore. In May, the Kubernetes ecosystem adopted Sigstore in a landmark move. Kubernetes 1.24 became the first release using Sigstore to enable seamless verification of signatures to protect against supply chain attacks across its 5m+ developer community.

A few months later, the Python community adopted Sigstore for signing CPython releases. The new release of Python 3.11 in November was the first new version of Python to be signed with Sigstore by default.

Not to be left far behind, npm recently announced they are actively working to integrate Sigstore, so all npm packages can be reliably linked to their source code and build instructions. In the Java world, Maven also announced their intent to adopt Sigstore as part of the Maven central platform. Sigstore looks set to be the fastest adopted open source project in history. To ease adoption of Sigstore in various ecosystems, Sigstore language clients for Python, Java, Javascript and Ruby are in development. The Sigstore landscape highlights the growing ecosystem.


A chart showing the Sigstore landscape, with an arrow pointing to it that says "Add your signed project"

5. Enterprises are embracing Sigstore

As open source ecosystems rapidly adopt Sigstore, many companies are also adopting Sigstore. From startups such as Edgeless Systems to companies like Autodesk, Bloomberg and Verizon to government facing organizations such as Rancher Government and DoD’s Platform One, Sigstore’s appeal is universal.


Text reads, "Sigstore, and specifically Cosign are powerful tools that automate artifact signing and authentication. These tools are geared toward the open source community but can easily be adopted by large enterprises. Aaron Bacchi, Verizon"

One appealing feature of Sigstore to enterprises is that it can provide a seamless and consistent developer experience across both open source and closed source software. Other reasons companies cite as advantages to using Sigstore include:

  • Keyless signing gives a great developer experience and removes the need for painful key management

  • Sigstore’s flexible architectures supports custom requirements

  • Sigstore’s use of standards such as OIDC means it can integrate seamlessly with other tools

There is one additional reason that helps make Sigstore a safe bet…

6. Sigstore has a thriving open source community

Powering the Sigstore project is a very active open source community. Sigstore is a project under the Open Source Security Foundation (OpenSSF), a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. OpenSSF has over 100 participating organizations including all the major cloud providers and many academic institutions. Over 70 different organizations contribute to Sigstore and are driving the rapid adoption of Sigstore as it quickly becomes the de facto industry standard. The community recently held its first-ever SigstoreCon, in co-location with KubeCon + CloudNativeCon North America.

7. Sigstore is the first step in your supply chain security journey

According to Sonatype’s 2022 State of the Software Supply Chain Report, supply chain attacks specifically targeting OSS have increased 742% annually over the past 3 years. Securing software supply chains involves tackling many different challenges. To address open source and software supply chain security,OpenSSF outlined a 10-point mobilization plan. One of those goals is for 50 of the top 200 projects to adopt an interoperable approach to software signing with Sigstore. The real benefits of code signing kick in when broad adoptions starts to happen. At Chainguard, we put out a call to standardize on digital signatures for software security with Sigstore.

While code signing alone isn’t enough on its own, it is the first key step that is easy to implement and can bear early dividends. So don’t wait, join everyone in making your plans to adopt Sigstore! And just for some meme fun, check out this helpful LinkedIn thread from Sigstore co-founder and Chainguard CEO Dan Lorenc.

Resources

Sigstore.dev

Sigstore Paper

Chainguard Academy

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started