The Linux Foundation, Red Hat, Google and Purdue University have announced the creation of an open source project called Sigstore, aimed at protecting and securing software subscription free of charge. The initiative is a consequence of the invasion of the SolarWinds update system, invaded by hackers allegedly from Russia, whose consequences are not yet fully known.
The sigstore will allow software developers to securely sign software artifacts, such as new files, container images and binaries. The subscription materials are then stored in a tamper-proof public record. The service will be free for all software developers and vendors; the Sigstore code and operating tools were developed by the Sigstore community.
“Sigstore allows all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, head of security engineering at Red Hat.
Few open source projects cryptographically sign software artifacts. This is largely due to the challenges that software maintainers face in key management, key compromise / revocation and distribution of public artifact keys. In turn, users need to look at which keys to trust and learn the steps necessary to validate the signature.
Other problems exist in how digests and public keys are distributed, often stored on sites susceptible to hacks or README files in public git repositories. Sigstore seeks to solve these problems by using short-lived ephemeral keys with a trusted root supported by public, open and auditable transparency logs.
With international agencies
See the original post at: https://www.cisoadvisor.com.br/fundacao-linux-anuncia-open-source-para-assinatura-de-software/?rand=59039
