A new way to secure software supply chains – rethinking digital signing

The complex nature of today’s software supply chains provides a chance for potentially harmful actors, and once malicious code is implanted, the consequences can be extremely damaging. Major security breaches today target the weakest link in the software supply chain to gain access to vital IT infrastructure.

Axel Simon, open source security, office of the CTO, Red Hat explains how businesses can secure their software supply chains with the help of a new simplified system.

Sigstore: the new signing software

The open source community has been working on creating a more developer-friendly software signing environment. The project is called “sigstore” and is being developed to replace long-lived keys with ephemeral keys that are tied to existing identifiers like email addresses and social media logins.

It also creates an immutable public log of every activity that will effectively relieve developers of the burden of software signing. The project’s main goal is to simplify and automate digital signature to the point where it becomes an invisible infrastructure. The system does not rely on keys that can be stolen or lost which makes it intrinsically safer as well.

Since sigstore’s launch in 2019, the project’s scope has grown to include sigstore sub-projects such as Cosign (for container and general software artefact signing), Rekor (a transparency log), and Fulcio (a certificate authority), as well as collaborations with other open source initiatives such as Tekton Chains (a spin-off of the Tekton CI/CD project).

Software supply chains attacks

It’s not uncommon for supply chain partners who seem harmless to be the most dangerous. For example, the 2013 attack on US retailer Target, one of the greatest data breaches in history, was carried out via hacking into the air conditioning software of Target’s supplier. Supply chain security has become such a big topic that the White House has issued a new Executive Order on the matter.

In 2020 a malicious code embedded in a SolarWinds software update crept across US federal government department affected roughly 18,000 organisations globally. Earlier this year, a vulnerability in Microsoft’s Exchange Server exposed more than 20,000 US organisations.

The complex software supply chain attacks cannot be ignored and the capabilities of a complex software supply chain tempt teams. This duality can force software engineers to choose between complying with the strictest security requirements and freeing themselves from the inconveniences and friction to focus on innovation instead.

Developers’ responsibilities to be reduced

Since cryptographic keys are used in traditional code signing techniques to validate the author and the integrity of the content of a software repository, it is the developer’s responsibility to produce keys and keep them safe. This kind of workload may be too much to bear for some of the developers, and as a result, they may cease signing the code they develop, which is detrimental for security, or write less code which is bad for innovation.

Both have repercussions for other developers. When so much of today’s software is built on open source principles, anyone can take the code and modify it, the issue of provenance becomes critical. This holds true for proprietary software as well, which is increasingly based on open source technology.

The new system proposes a way to reconcile these seemingly opposed drives and to rethink software signing.

See more stories here.