After 2020 SolarWinds’ cyber espionage campaignin which Russian hackers injected contaminated updates into a widely used IT management platform, a variety of other software supply chain attacks further emphasizes the urgent need of locking down software action sequences. And the problem is especially annoyed in open source, where projects are inherently decentralized and often ad hoc endeavors. After a series of the worried compromise For JavaScript software packages widely downloaded from the prominent GitHub-owned “npm” registry, the company launched a plan this week to provide extended protections for security open source cryptography.
GitHub, itself owned by Microsoft, announced on Monday that it plans to support code signing, a kind of digital wax seal, for npm software packages to use. Sigstore code signing platform. This tool has evolved through industry collaboration to make it much easier for open source maintainers to verify that the code they generate is the same code in the actual software packages. people all over the world download it or not.
“While most npm packages are open source, there is currently no guarantee that a package on npm is built from the same source code that was built from the same source code,” said Justin Hutchings, director of product management at GitHub. published. “Supply chain attacks are on the rise, and adding signed build information to open source packages confirming the provenance of the software and how it was built is a great way to reduce the surface attack”.
In other words, it’s all about creating a transparent and cryptographically verified phone game.
Dan Lorenc, CEO of Chainguard, the Sigstore co-developer, emphasized that while GitHub is not the only component of the open source ecosystem, it is an absolutely important town square. community because that’s where most projects host and publish source code. However, when developers really want to download open source apps or tools, they usually go to the package manager
“You don’t install the source code directly, you usually install some compiled form of it, so something happened between the source code and the package generation. And so far, that whole step has just been a black box in open source,” explains Lorenc. “You see the code and then download the package, but nothing proves that the package came from that code or the same person involved, so that’s what GitHub is fixing.”
By making Sigstore available to package managers, there is more transparency at every stage of the software’s journey, and Sigstore tools help developers manage requirements and test cryptography as the software progresses. soft moves through the supply chain. Lorenc says that many people are shocked to learn that these integrity checks have not yet been adopted and that a lot of open source ecosystems have relied on blind trust for a long time. In May 2021, the Biden White House issue an executive order specifically deals with software supply chain security.
