The need to lock down software chains of custody has been shown to be urgent by a series of other software supply chain attacks. In open source, the issue is particularly pressing. The company laid out a plan this week to offer expanded defenses for open source security after a series of worrying compromises to widely downloaded Javascript software packages.
The code signing platform Sigstore will be supported by GitHub, which is owned by Microsoft. To make it easier for open source maintainers to verify that the code they create is the same code that ends up in the software packages actually being downloaded, the tool grew out of cross- industry collaboration.
There is currently no guarantee that a package on npm is built from the same source code that has been published. Adding signed build information to open source packages that verify where the software came from is a good way to reduce the attack surface.
It's all about creating a game of telephone.
While GitHub isn't the only component of the open source community, it's an important town square for the community because it's where most of the projects store and publish their source. Developers usually use a package manager to download open source applications.
Something has happened between the creation of the package and the installation of the source code. The entire step has been in an open source box. There is no proof that the package came from the same person or the same code, so that's what GitHub is fixing.
By giving package managers Sigstore, there's more transparency at every stage of the software's journey, and the Sigstore tools help developers manage cryptographic checks and requirements as software moves through the supply chain Many people are shocked to hear that these integrity checks aren't already in place, and that a lot of the open source community has been relying on blind trust for a long time. An executive order was issued by the Biden White House.
All Rights Reserved © 2024
