The most popular and comprehensive Open Source ECM platform
Open Source: Digital Certificates for Secure Software Deliveries
Code signing of software is a way to verify the author of the software and confirm that the code has not been altered or corrupted since the time it was released. Code signing to validate authenticity and integrity is based on cryptography. Code signing is a security measure that guarantees that the unaltered software is being deployed.
The process of code signing typically involves purchasing a digital certificate from a certificate authority and then applying the certificate to the software executable or script before distribution.
Today, the Linux Foundation is announcing s project called sigstore with the purpose of making it easier and cheaper to be able to digitally sign software. The purpose of sigstore is to let developers sign software artifacts like release files, container images, and binary executables. The project is being managed by Red Hat, Google and Purdue University and will be freely available to all developers and software providers.
Josh Aas, executive director of Letâ€™s Encrypt, said that “securing a software deployment ought to start with making sure we’re running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain.”
Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue, said that “I am very excited about the prospects of a system like sigstore. The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation.”
Leave a Reply