“These are huge issues that put the entire world’s infrastructure at risk,” says Bob Callaway, a chief architect at the enterprise open source software company RedHat. “It’s certainly not a panacea that will fix everything, but it will make a big dent getting people to actually use best practices and cryptographic techniques that have been around for a long time and make releases more secure.”
Sigstore, which is affiliated with the Linux Foundation and currently led by Google, Red Hat and Purdue University, combines two components. First, it coordinates convoluted cryptography for its users; it even gives the option to literally handle everything for developers who can’t or don’t want to take on the extra work themselves. By using established, preexisting identifiers like an email address or a third-party sign-in system like Sign In With Google or Sign In With Facebook, you can quickly start cryptographically signing code you produce as having been made by you at a certain time. Second, Sigstore automatically produces a public, immutable open source log of all activity. That provides public accountability of every submission and a place to start investigating if something goes awry.
“Around 2019 I was talking with Luke Hinds at RedHat, and I said wouldn’t it be cool if we could have basically a paper trail of everything that happened in the software supply chain, some sort of transparency log,” says Santiago Torres-Arias, a supply chain researcher at Purdue University. “Then he disappeared for a couple of months. And then he came back with a prototype.”
On Friday, Lorenc, Torres-Arias, Callaway, Hinds, and secure software distribution researcher Marina Moore of New York University will all participate in a public cryptographic ceremony to become the progenitor key-holders of Sigstore. They’ll generate and load encryption keys, essentially passwords, onto secure thumb drives that will remain in their possession for four months. After that the keys will rotate in another ceremony to other holders—a gesture toward the goal of making Sigstore a neutral community project. Any changes to the system will require the presence of three out of five key-holders. This establishes a “root of trust” for all of the development projects that will be able to adopt SigStore going forward.
“It’s definitely both scary and exciting,” NYU’s Moore says. “This is one of the five keys that’s underpinning the security of the whole system. If all is well I’ll just lock it in a safe for four months, but it’s definitely something I’ve been thinking about.”
Sigstore will need to be widely adopted to be successful. But with supply chain attacks looming as an increasingly mainstream concern, the five key-holders say they think that something easy and free really has the potential to take off. A similar project called Let’s Encrypt issues free encryption certificates to websites and has been a huge driver in the global effort to encrypt the vast majority of web traffic. To date it has issued certificates to more than 260 million websites.