Russia's historically destructive NotPetya malware attack and its more recent SolarWinds cyberespionage campaign have something in common besides the Kremlin: They're both real-world examples of software supply chain attacks. It's a term for what happens when a hacker slips malicious code into legitimate software that can spread far and wide. And as more supply chain attacks emerge, a new open source project is angling to take a stand, making a crucial safeguard free and easy to implement.
The founders of Sigstore hope that their platform will spur adoption of code signing, an important protection for software supply chains but one that popular and widely used open source software often overlooks. Open source developers don't always have the resources, time, expertise, or wherewithal to fully implement code signing on top of all the other nonnegotiable components they need to build for their code to function.
“Until about a year and a half ago I felt like the crazy person standing on the corner with a sign that says ‘The End Is Coming.’ Nobody understood the problem,” says Dan Lorenc, an open source software supply chain researcher and engineer at Google. “But in the past year things have changed considerably. Now everybody is talking about supply chain security, we have an Executive Order about it, and everybody is starting to realize how critical open source is and how we need to actually put some resources behind fixing the security of it for everybody.”
Lorenc is far from the only researcher who focused on the challenges of securing open source projects or the supply chain. But the mainstream attention generated by recent high-profile hacks garnered a whole new level of enthusiasm for work Lorenc and his collaborators already had underway.
To understand Sigstore's significance you need to have a sense of what code signing does. Think of it like battle orders delivered in olden times. Generals would recognize the handwriting of the royal scribe, the commander in chief's signature, and the detailed wax seal on the envelope, while a carefully vetted network of pages delivered the messages in a controlled chain of custody. That system worked because it was extremely difficult—though not totally impossible—for an outside entity to infiltrate the process, replicate crucial elements, and get around all those integrity checks.
The same is true for cryptographic code signing. You can't just make up a Windows update and distribute it to your closest friends or enemies. Only Microsoft can do that, unless something has gone very wrong. One reason it's so challenging for anyone other than Microsoft to send updates to your Windows laptop is that the software needs to have been “signed” by the right creator at the right time. It's the John Hancock and wax seal of the digital era.
You can see why the stakes are so high, though, for ancient battles and modern software alike. If someone could send rogue orders or updates, they could stage a coup—or compromise billions of computers. The benefits of code signing are clear, but getting hobbyists, volunteers, and other open source contributors to incorporate it requires a low barrier to entry.
“These are huge issues that put the entire world’s infrastructure at risk,” says Bob Callaway, a chief architect at the enterprise open source software company RedHat. “It’s certainly not a panacea that will fix everything, but it will make a big dent getting people to actually use best practices and cryptographic techniques that have been around for a long time and make releases more secure.”
Sigstore, which is affiliated with the Linux Foundation and currently led by Google, Red Hat and Purdue University, combines two components. First, it coordinates convoluted cryptography for its users; it even gives the option to literally handle everything for developers who can't or don't want to take on the extra work themselves. By using established, preexisting identifiers like an email address or a third-party sign-in system like Sign In With Google or Sign In With Facebook, you can quickly start cryptographically signing code you produce as having been made by you at a certain time. Second, Sigstore automatically produces a public, immutable open source log of all activity. That provides public accountability of every submission and a place to start investigating if something goes awry.
“Around 2019 I was talking with Luke Hinds at RedHat, and I said wouldn’t it be cool if we could have basically a paper trail of everything that happened in the software supply chain, some sort of transparency log,” says Santiago Torres-Arias, a supply chain researcher at Purdue University. “Then he disappeared for a couple of months. And then he came back with a prototype.”
On Friday, Lorenc, Torres-Arias, Callaway, Hinds, and secure software distribution researcher Marina Moore of New York University will all participate in a public cryptographic ceremony to become the progenitor key-holders of Sigstore. They'll generate and load encryption keys, essentially passwords, onto secure thumb drives that will remain in their possession for four months. After that the keys will rotate in another ceremony to other holders—a gesture toward the goal of making Sigstore a neutral community project. Any changes to the system will require the presence of three out of five key-holders. This establishes a “root of trust” for all of the development projects that will be able to adopt SigStore going forward.
“It's definitely both scary and exciting,” NYU's Moore says. “This is one of the five keys that’s underpinning the security of the whole system. If all is well I'll just lock it in a safe for four months, but it's definitely something I've been thinking about.”
Sigstore will need to be widely adopted to be successful. But with supply chain attacks looming as an increasingly mainstream concern, the five key-holders say they think that something easy and free really has the potential to take off. A similar project called Let's Encrypt issues free encryption certificates to websites and has been a huge driver in the global effort to encrypt the vast majority of web traffic. To date it has issued certificates to more than 260 million websites.
One reason open source security is so complicated is that it's easy to grab code from various projects around the web and incorporate it into other software, both open and proprietary. This creates a supply chain nightmare, because some open source projects are widely used even though they aren't well-maintained or have even been abandoned altogether. Code signing certainly doesn't solve every problem, and supply chain hacks can still happen even when a developer signs their code. But given how sophisticated those attacks get, any project that doesn't incorporate basic protections like signing put themselves at real risk.
“This is about identifying low-hanging fruit first,” says Perdue's Torres-Arias.
As for Friday's key ceremony, the event adds transparency to a process that is usually done behind closed doors at large companies or institutions. And while the first five key-holders will only bear the responsibility during the fledgling months of Sigstore's release, the role could someday take on even more gravity if the project provides the code signing foundation for numerous high-profile projects.
“You know, I have not really dwelled on whether we’re going to be hunted down by James Bond types,” Red Hat's Hinds says of being a key-holder. “Who knows, let’s see how big we become."