Linux Foundation unveils Sigstore — a Let's Encrypt for code signing [1] [2]
> The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free 'sigstore' service that lets developers code-sign and verify open source software to prevent supply-chain attacks.
> As demonstrated by the recent dependency confusion attacks and malicious typo-squatted NPM packages, the open-source ecosystem is commonly targeted for supply-chain attacks.
> To pull these attacks off, threat actors will create malicious open-source packages and upload them to public repositories using names similar to popular legitimate packages. If a developer mistakenly includes the malicious package in their own project, malicious code will automatically be executed when the project is built.
> To prevent these types of attacks, 'sigstore' will be a free-to-use non-profit software signing service that allows developers to sign open-source software and verify their authenticity.
> "You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code."
> The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free 'sigstore' service that lets developers code-sign and verify open source software to prevent supply-chain attacks.
> As demonstrated by the recent dependency confusion attacks and malicious typo-squatted NPM packages, the open-source ecosystem is commonly targeted for supply-chain attacks.
> To pull these attacks off, threat actors will create malicious open-source packages and upload them to public repositories using names similar to popular legitimate packages. If a developer mistakenly includes the malicious package in their own project, malicious code will automatically be executed when the project is built.
> To prevent these types of attacks, 'sigstore' will be a free-to-use non-profit software signing service that allows developers to sign open-source software and verify their authenticity.
> "You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code."
[1] https://www.bleepingcomputer.com/news/security/linux-foundat...
[2] https://www.sigstore.dev