The Linux Foundation is launching "sigstore," a free-to-use software signing certificate authority open to all developers.
Code signing cryptographically authenticates that software has not been tampered with before installation. It can be a valuable tool to prevent hackers from co-opting patching systems or software distribution to deliver malware.
But it can be a difficult feature for open source software producers to leverage, given the complexities of the process and key management.
The sigstore project opens with Google, Purdue University and Red Hat as founding members. The announcement comes less after a month after Google announced that it was underwriting two Linux kernel security positions through the Linux Foundation.
The "sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify. I'm hoping we can make this easy as exiting vim," said Dan Lorenc of Google's Open Source Security Team, joking about the tough-to-quit text editor. "Watching this take shape in the open has been fun. It's great to see sigstore in a stable home."
sigstore comes as more organizations begin to think critically about third party risk, particularly after the SolarWinds hackers coopted the update system to breach downstream users. That said, it's worth noting that in SolarWinds, malware was inserted into updates early enough in the process that code signing would not have caught the problem.
Still, the founding members of sigstore believe the project can drastically change the environment for software authentication.
“We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open source software and security," said Mike Dolan, senior vice president and general manager of projects for the Linux Foundation, in a statement.