Sigstore explained: How it helps secure the software supply chain

The free sigstore signing service helps developers establish provenance and integrity of open-source software.

Notable incidents such as SolarWinds and Log4j have placed a focus on software supply chain security. They have also sent security teams in search of tools to ensure the integrity of software from third parties. Software use is ubiquitous, with digital platforms now accounting for 60% of GDP per the World Economic Forum (WEF). While the way we use software has and is changing the world, the methods to ensuring the integrity of software sourced from across the ecosystem is lacking. The software supply chain often lacks the use of digital signatures, and when it doesn’t it typically uses traditional digital signing techniques which can be challenging to automate and audit.

Sigstore definition

Enter sigstore. As sigstore co-creator and Chainguard founder Dan Lorenc has put it, sigstore is “a free signing service for software developers that improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.”

Who has adopted sigstore?

It isn’t just the sigstore team who see the value in the proposed technology. Kubernetes announced that it was standardizing on sigstore, using it in its latest 1.24 release. This allows Kubernetes consumers to ensure the distribution they’re using is what is intended. Adding to that endorsement, the Linux Foundation and OpenSSF recently published “The Open Source Software Security Mobilization Plan,” which emphasizes digital signatures to enhance trust in the software supply chain. The proposed approach includes using the sigstore project due to its critical components such as a certificate authority, transparency logs and ecosystem-specific libraries.

How does sigstore work? 

Sigstore is set up to help address some of the existing gaps in the open-source software (OSS) supply chain and how we handle integrity, digital signatures and verifying the authenticity of OSS components. This is critical since 90% of IT leaders are using OSS. Organizations are prioritizing hiring OSS talent, and we’ve seen several notable software supply chain incidents as mentioned above.

Sigstore brings together several OSS tools such as Fulcio, Cosign and Rekor to assist with digital signing, verification and checks of code provenance. Code provenance is the ability to have a chain of custody showing where code originated and from whom. The Uber Privacy and Security team has published an excellent blog post discussing how they approach the path to code provenance.

Unpacking some of the core sigstore components, let's start with Fulcio. Fulcio is a root certificate authority (CA) that focuses on code signing. It is free and issues certifications tied to OpeID Connect (OIDC) and often uses existing identifiers that developers are already associated with. With the rapid adoption and growth of cloud-native architectures and deployment of containers, signing containers have become a key security best practice.

Key management is a cumbersome activity that is often offered as a managed service by cloud service providers (CSPs) or third parties. Sigstore helps mitigate some of that complexity through the way in which it supports Cosign alleviates some of the key management challenges using “keyless signing” via ephemeral, or temporary keys. Despite the use of ephemeral keys, you can still have assurances of the validity of signatures through Fulcio’s timestamping service.

This is where Cosign comes in, as it supports signing options and can seamlessly support generating keypairs and signing container artifacts for storage in a container registry. This empowers cloud-native environments to validate the container against a public key and ensure the container is signed by a trusted source. Digitally signing image artifacts during build time and validating those signatures is a key security best practice highlighted in the Cloud Native Computing Foundation (CNCF) Cloud Native Security Whitepaper.

Next up is Rekor, which is an immutable and tamper-resistant ledger created as part of software maintenance and build activities. It empowers software consumers to examine the metadata and make risk informed decisions about the software they’re using and the activities involved throughout its lifecycle. Going back to our previous point on software provenance, developers can use Rekor to contribute to the provenance of software via the transparency log.

Another notable call out is the emerging guidance such as Supply Chain Levels for Software Artifacts (SLSA) and NIST’s Secure Software Development Framework (SSDF). SLSA level 3 emphasizes the need for auditing the source and integrity of software provenance, which sigstore supports. Specific practices called out in SSDF also point to the need for providing provenance and verification mechanisms. This is significant because the U.S. federal government is moving toward requiring software producers selling to the government to attest with practices outlined in SSDF. By adopting sigstore you can position your organization to align with the emerging standards and best practices discussed here and mitigate critical software supply chain risks which could lead to a security incident and the associated impact.

What’s the future of sigstore?

We are just in the infancy of industry adoption of the sigstore project. That said, with major endorsements by leading OSS projects such as Kubernetes and the OSS Security Mobilization Plan from The Linux Foundation and OpenSSF, the future looks bright.

As OSS adoption accelerates and organizations make the push to bolster their software supply chain practices, sigstore serves as a critical ecosystem opportunity to cover key areas around digital signatures, authenticity and integrity. Risk management is all about making informed decisions and having robust details around the provenance of software artifacts and those involved in their creation and distribution is crucial. This is where the sigstore project shines and likely is to continue to experience rapid industry adoption.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.