Sigstore, a free service to verify the origin and authenticity of the software

Information security is today a critical point for individuals, companies and even within the world of free software, it is a free service that has created Linux Foundation and that aims to allow developers to sign code and verify open source software to prevent attacks.

This service was initially introduced by Linux Foundation, Red Hat, Google and Purdue. It is a very effective code signing system that allows you to sign code and prevent attacks on it.

Why the importance of signing open source in the world of free software?, this is because a programmer can create malicious code in paths similar to official free software projects if a developer includes the same in some part of the application that is developing this can at the time of being compiled and installed by users execute this malicious code and cause different types of damage.

We can say that it is comparable to let’s Encrypt, which provides free certificates and automation tools for HTTPS. For its part, Sigstore provides free certificates and tools to automate and verify source code signatures.

Sigstore relies on short-lived certificates based on OpenID Connect, public transparency records, and a special Root CA assigned only for code signing. At the moment this project is under development, so we will have to wait for it to be fully operational. Checking SSL certificates is important, as well as any other type that we may encounter.

Sign code with Sigstore. Protecting the software we install, which is essential for security.

It is through the programs that we install, the software that we download from the Internet, one of the ways that hackers have to sneak malware and attack our computers. They can deploy many types of attacks simply by installing an application.

This makes it very important to correctly choose what software we are going to install, where we are going to download it and of course have it always updated to correct possible vulnerabilities that may arise and are exploited by third parties.

The idea of the Sigstore project is to give greater authenticity to the software used by developers when creating applications and to be able to offer users safe, authentic programs without any risk that may endanger privacy.

But equally, any program may suffer some kind of vulnerability in the future. Hence the importance of always installing all available updates. There are many failures that could exist and that are exploited by attackers to steal information or access the system.

You can also take the following appointment from the official website:

Software supply chain security; software supply chains are exposed to multiple risks. Users are susceptible to various targeted attacks, along with account compromise and cryptographic key. Keys in particular are a challenge to managing software maintainers. Projects often have to keep a list of current keys in use and manage the keys of people who no longer contribute to a project. Too often, projects Store public keys / summaries on websites or readme files from git repositories, two manipulative forms of storage and therefore a less-than-optimal means of communicating trust securely. Source: https://sigstore.dev/what_is_sigstore/

By looking at text quoted from the official website we can realize the enormous complexity of maintaining free software projects where handling a set of public cryptography signing keys is crucial to not allow malicious developers to insert malicious code from software applications that are being developed.

For this reason sigstore is created to automate tedious processes of updating the public keys of the signed of the different developments in free software projects in order to give authenticity that the developer who is adding new functions to the project is the right one and not a malicious person who wants to damage the software by inserting totally malicious code in it.

Remember that in the world of free software there are countless large and small projects an example of large projects is for example the Debian Project which there is a large group of programmers who maintain this distribution which includes a lot of software and this software can be in many points of great complexity.

But the developers still have doubts about their personal privacy which the creators of sigstore respond to these concerns on their official website where they explain in detail that they respect their personal privacy and do not require data more than just your email address.

In addition to this explain why they do not implement blockchains and the technical complexity that this means, perhaps this in the future will be implemented in blockchain but currently will not be taken into account, this project promises to be a great technological innovation very important in the world of signing free software applications.

But this is not so as they explain on their website, support all the projects of software to implement this system of signed and management of firms in such a way as will give all the necessary training and adequacy of development platforms and compilations of binary applications that exist in many free software projects, achieving a transparent process of signed to all free software projects and resistant to malicious attacks.

It only remains to wait for the solution of sigstore to ensure software applications in your process of programming is the right solution, and improve processes that are still being tedious in free software projects, but even it is not easy to implement this technology as there are infrastructures in the world of free software that are very large and the process of implementation and adaptation will not be easy.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.