Security News > 2021 > March > Linux Foundation unveils Sigstore — a Let's Encrypt for code signing

Linux Foundation unveils Sigstore — a Let's Encrypt for code signing
2021-03-10 20:49

The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free 'sigstore' service that lets developers code-sign and verify open source software to prevent supply-chain attacks.

To pull these attacks off, threat actors will create malicious open-source packages and upload them to public repositories using names similar to popular legitimate packages.

If a developer mistakenly includes the malicious package in their own project, malicious code will automatically be executed when the project is built.

To prevent these types of attacks, 'sigstore' will be a free-to-use non-profit software signing service that allows developers to sign open-source software and verify their authenticity.

"You can think of it like Let's Encrypt for Code Signing. Just like how Let's Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code."

Sigstore is built around short-lived certificates based on OpenID Connect grants, public Transparency Logs, and a special Root CA allocated for just code-signing.


News URL

https://www.bleepingcomputer.com/news/software/linux-foundation-unveils-sigstore-a-lets-encrypt-for-code-signing/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 18 397 1368 1114 696 3575