Application security, DevSecOps

Linux Foundation launches software signing service

Share
A sidewalk depiction of IBM’s Peace, Love, and Linux advertising campaign in 2001. (“Peace, Love, and Linux” by kino-eye is licensed under CC BY-NC-SA 2.0)
A sidewalk depiction of IBM's Peace, Love, and Linux advertising campaign in 2001. The Linux Foundation is launching "sigstore," a free-to-use software signing certificate authority open to all developers. ("Peace, Love, and Linux" by kino-eye is licensed under CC BY-NC-SA 2.0)

The Linux Foundation is launching "sigstore," a free-to-use software signing certificate authority open to all developers.

Code signing cryptographically authenticates that software has not been tampered with before installation. It can be a valuable tool to prevent hackers from co-opting patching systems or software distribution to deliver malware.

But it can be a difficult feature for open source software producers to leverage, given the complexities of the process and key management.

The sigstore project opens with Google, Purdue University and Red Hat as founding members. The announcement comes less after a month after Google announced that it was underwriting two Linux kernel security positions through the Linux Foundation.

The "sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify. I'm hoping we can make this easy as exiting vim," said Dan Lorenc of Google's Open Source Security Team, joking about the tough-to-quit text editor. "Watching this take shape in the open has been fun. It's great to see sigstore in a stable home."

sigstore comes as more organizations begin to think critically about third party risk, particularly after the SolarWinds hackers coopted the update system to breach downstream users. That said, it's worth noting that in SolarWinds, malware was inserted into updates early enough in the process that code signing would not have caught the problem.

Still, the founding members of sigstore believe the project can drastically change the environment for software authentication.

“We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open source software and security," said Mike Dolan, senior vice president and general manager of projects for the Linux Foundation, in a statement.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.