The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free ‘sigstore’ service that lets developers code-sign and verify open source software to prevent supply-chain attacks.

As demonstrated by the recent dependency confusion attacks and malicious typo-squatted NPM packages, the open-source ecosystem is commonly targeted for supply-chain attacks.

To pull these attacks off, threat actors will create malicious open-source packages and upload them to public repositories using names similar to popular legitimate packages. If a developer mistakenly includes the malicious package in their own project, malicious code will automatically be executed when the project is built.

To prevent these types of attacks, ‘sigstore’ will be a free-to-use non-profit software signing service that allows developers to sign open-source software and verify their authenticity.

“You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

“Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable,” Google explained in a blog post today.

Sigstore is built around short-lived certificates based on OpenID Connect grants, public Transparency Logs, and a special Root CA allocated for just code-signing.

Sigstore demonstration
Sigstore demonstration

With the Transparency Logs being public, they can easily be monitored by compromise and rolled back when detected.

The project is currently in the early stages of development, but the project coordinators ask for feedback and involvement from other developers.