A New Tool Wants to Save Open Source from Supply Chain Hacks

Russia’s historically destructive NotPetya malware attack and its more recent SolarWinds cyberespionage campaign have something in common besides the Kremlin: They’re both real-world examples of software supply chain attacks. It’s a term for what happens when a hacker slips malicious code into legitimate software that can spread far and wide. And as more supply chain attacks emerge, a new open source project is angling to take a stand, making a crucial safeguard free and easy to implement.

The founders of Sigstore hope that their platform will spur adoption of code signing, an important protection for software supply chains but one that popular and widely used open source software often overlooks. Open source developers don’t always have the resources, time, expertise, or wherewithal to fully implement code signing on top of all the other nonnegotiable components they need to build for their code to function.

“Until about a year and a half ago I felt like the crazy person standing on the corner with a sign that says, ‘The End Is Coming.’ Nobody understood the problem,” says Dan Lorenc, an open source software supply chain researcher and engineer at Google. “But in the past year things have changed considerably. Now everybody is talking about supply chain security, we have an Executive Order about it, and everybody is starting to realize how critical open source is and how we need to actually put some resources behind fixing the security of it for everybody.”

Lorenc is far from the only researcher who focused on the challenges of securing open source projects or the supply chain. But the mainstream attention generated by recent high-profile hacks garnered a whole new level of enthusiasm for work Lorenc and his collaborators already had underway.

To understand Sigstore’s significance you need to have a sense of what code signing does. Think of it like battle orders delivered in olden times. Generals would recognize the handwriting of the royal scribe, the commander in chief’s signature, and the detailed wax seal on the envelope, while a carefully vetted network of pages delivered the messages in a controlled chain of custody. That system worked because it was extremely difficult—though not totally impossible—for an outside entity to infiltrate the process, replicate crucial elements, and get around all those integrity checks. 

The same is true for cryptographic code signing. You can’t just make up a Windows update and distribute it to your closest friends or enemies. Only Microsoft can do that unless something has gone very wrong. One reason it’s so challenging for anyone other than Microsoft to send updates to your Windows laptop is that the software needs to have been “signed” by the right creator at the right time. It’s the John Hancock and wax seal of the digital era. 

You can see why the stakes are so high, though, for ancient battles and modern software alike. If someone could send rogue orders or updates, they could stage a coup—or compromise billions of computers. The benefits of code signing are clear, but getting hobbyists, volunteers, and other open source contributors to incorporate it requires a low barrier to entry.

“These are huge issues that put the entire world’s infrastructure at risk,” says Bob Callaway, a chief architect at the enterprise open source software company RedHat. “It’s certainly not a panacea that will fix everything, but it will make a big dent getting people to actually use best practices and cryptographic techniques that have been around for a long time and make releases more secure.”

Sigstore, which is affiliated with the Linux Foundation and currently led by Google, Red Hat and Purdue University, combines two components. First, it coordinates convoluted cryptography for its users; it even gives the option to literally handle everything for developers who can’t or don’t want to take on the extra work themselves. By using established, preexisting identifiers like an email address, or a third-party sign-in system like Sign In With Google or Sign In With Facebook, you can quickly start cryptographically signing code you produce as having been made by you at a certain time. Second, Sigstore automatically produces a public, immutable open source log of all activity. That provides public accountability of every submission, and a place to start investigating if something goes awry.