After 2020 In the SolarWinds cyber espionage campaign, Russian hackers slipped tainted updates into widely used IT management platforms, and a series of other software supply chain attacks continue to demonstrate the urgent need to lock down the software chain of custody. This problem is especially pressing in open source projects, which are inherently decentralized and often ad hoc. The company this week laid out a plan to provide extended defenses for open source security, after a series of worrying compromises over widely downloaded JavaScript packages from the famous “npm” registry owned by GitHub.
GitHub, itself owned by Microsoft, announced Monday that it plans to support code signing, a kind of digital wax seal, for npm packages using the code signing platform Sigstore. The tool stems from cross-industry collaboration, making it easier for open source maintainers to verify that the code they create is the same code that ends up in packages that people around the world actually download.
“While most npm packages are open source, there is currently no guarantee that packages on npm are built from the same source code that was released,” said Justin Hutchings, director of product management at GitHub. “Supply chain attacks are on the rise, and adding signed build information to open source software packages to verify where the software came from and how it was built is a great way to reduce the attack surface.”
In other words, it’s all about creating a password-authenticated and transparent phone game.
Dan Lorenc, CEO of Chainguard, which co-developed Sigstore, emphasized that while GitHub is not the only part of the open source ecosystem, it is definitely a vital town square for the community, as it is where the vast majority of projects are stored and published their source code.However, when developers really want to download an open source application or tool, they usually go to a package manager
“You don’t install the source code directly, you usually install some compiled form of it, so something happens between the source code and the creation of the package. So far, this whole step is just a black box in open source,” explains Lorenc . “You see the code and you go to download the package, but there’s no evidence that the package came from that code or involved the same people, so that’s what GitHub is fixing.”
By providing Sigstore to package managers, every stage of the software journey is more transparent, and the Sigstore tool helps developers manage cryptographic checks and requirements as the software moves through the supply chain. Lorenc said many people were shocked to hear that these sanity checks were not in place, and that many in the open source ecosystem had long relied on blind trust. In May 2021, the Biden White House issued an executive order specifically targeting software supply chain security.
