Security News > 2021 > March > A new Linux Foundation open source signing tool could make secure software supply chains universal
Sigstore could eliminate the headaches associated with current software signing technology through public ledgers.
The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.
Called sigstore, the new cryptographic signing platform uses public logging similar to cryptocurrencies and other blockchain technologies, the end result of which eliminates many of the security risks associated with traditional digital signing technologies.
The platform is designed for open source projects, which the Linux Foundation said are rarely cryptographically signed due to key management challenges, key compromise or revocation and public key distribution and artifact digests.
The Linux Foundation describes sigstore as a nonprofit project designed for the public good that "Will be free to use for all developers and software providers, with sigstore's code and operation tooling being 100% open source and maintained / developed by the sigstore community."
Luke Hinds, security engineering lead at the Red Hat office of the CTO, said "Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain."said.