Revolutionizing Software Security - Introducing Sigstore for Developers

Photo by FLY:D on Unsplash

Revolutionizing Software Security - Introducing Sigstore for Developers

One might have wondered at one point in their career how secure the software they are using is. It is not news that we live in an age where cyber-attacks are on the rise and for this reason, we should be more conscious and intentional about improving the security of the software we use or rely on. That is where Sigstore comes in.

In this article, we'll explore Sigstore and explain its benefits, so whether you are a seasoned developer or a beginner and novice in the software security niche, sit back and relax.

What is Sigstore?

Sigstore is an open-source project to help improve software supply chain security through transparency.

Take, for instance, you sign a document to indicate that you agree with everything that is written there. So like your signature verifying all is right with the document, Sigstore is like a signature or a stamp of approval that your software is authentic and secure.

Sigstore is built off the top of existing technologies like Let's Encrypt- a global certificate authority(CA) that allows people and developers to obtain, renew, and manage SSL/TSL encryptions.

One of the features of Sigstore is its transparency. By allowing developers to sign and verify software artifacts, Sigstore makes it possible to establish a chain of trust from the original author of the software to the end user. This helps to improve the overall security of the software supply chain by making it more difficult for attackers to introduce malicious code.

How Sigstore works

Sigstore allows users to generate key pairs(a public and a private key), which are then used to sign your software.

To use Sigstore, a developer first requests a certificate from Fulcio, a code-signing certificate authority. This certificate is tied to the developer's identity and is used to sign the software artifact.

For transparency purposes, the signatures are stored in a public log called Rekor. In Rekor, records of who, when and where the software was signed are logged for all to see. The purpose of these is to verify the authenticity of the software while making sure the software is free from malicious threats.

To verify the software, a Sigstore client verifies the signature on the artifact using the public key from the certificate, checks that the identity in the certificate matches the expected identity, verifies the certificate's signature using Sigstore's root of trust, and checks proof of inclusion in Rekor.

Terminologies used in Sigstore

As a novice in the security world, here are some terms and concepts that you might be unfamiliar with while using Sigstore;

  • Container Images: These are lightweight, standalone executable packages that include everything an application needs to run. This could be libraries, code, etc.

  • Blobs: These are files you use to store and transfer data.

  • Cryptography keys: These are a pair of keys - public and private which are used to encrypt data.

  • Signature: Like your physical signature on a document, this is a digital signature that shows a person's endorsement of the software.

  • Certificate: this is a digital document that verifies your identity.

  • Certificate authority: This issues and verifies the certificate that verifies your identity.

  • Fulcio: This is a code-signing certificate authority that issues certificates to users. These certificates are short-lived.

  • Cosign: Cosign is a tool developed for the Sigstore project to verify and sign container images, ensuring their integrity and authenticity. It can also work with blobs.

  • artifact: This is any binary or software package signed by Sigstore.

  • Digest: This is a unique identifier generated from the content of an artifact.

Resources

Below are some resources you can check out to get more knowledge and understanding of sigstore;

Conclusion

With Sigstore, developers and organizations can take a step towards improving the security and trustworthiness of their software supply chains. The best thing about Sigstore is that it is an open-source project, which means you can contribute to the project to make it even better and safer.