The Linux Foundation, Red Hat and Google present sigstore that wants to prevent future cyberattacks such as SolarWinds



The Linux Foundation, along with Red Hat, Google and Purdue University (which has its main campus in Indiana, United States) have created the sigstore project or "sigstore project" that wants to offer supply chain protection. Let's not forget that the super cyber attack that SolarWinds suffered at the end of 2020 managed to land on many companies and public institutions around the world after managing to intervene in their supply chain.


In other words, the attackers compromised the security of a third party, in this case SolarWinds, and thereby achieved infiltrate companies and public entities that use their services, such as Microsoft, NASA or Cisco (and almost every company that makes the Fortune 500 list). And, on this basis, Linux and its partners have worked on a new software service introduced now.




How sigstore works




Sigstore



On this approach to the situation of SolarWinds, sigstore aims to improve the security of the supply chain of a software allowing developers to securely sign software programs, files, container images and more. This service will be free for all software developers and vendors.



Of course, it must be said that the sigstore code and the tools that will be used to make this work are still being developed by the community.



This sigstore uses the OpenID authentication protocol that binds certificates to identities. "We understand that Long-term key management is difficult, which is why we have taken a unique certificate issuance approach based on OpenID Connect identity providers ", Google spokesmen explained. Sigstore also stores all activity in Transparency Logs, backed by Trillian, to be able to more easily detect if there is any type of commitment and being able to tackle these problems as they arise.



The objective of sigstore is to make it easy to sign and verify the code and for this a "Root CA" or special root certificate authority which will be available for free. The sigstore signing client generates a short-lived key pair and contacts the sigstore PKI (public key infrastructure), which will be managed by the Linux Foundation. This service will check if the OpenID connect grant is correct and issues a certificate based on the previous keys to sign the software.





With all this, even if the source code of a software is intervened, "sigstore allows all open source communities to sign their software with the goal that the software supply chain be transparent and controllable, "said Luke Hinds, Chief of Security Engineering in the Red Hat CTO office.