{"id":204333,"date":"2021-03-17T15:00:29","date_gmt":"2021-03-17T12:00:29","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/"},"modified":"2021-03-17T15:00:29","modified_gmt":"2021-03-17T12:00:29","slug":"how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/","title":{"rendered":"#How the Linux Foundation\u2019s Software Signing Combats Supply Chain Attacks \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a40eda13caa8\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a40eda13caa8\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/#The_Problem\" >The Problem<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/#How_sigstore_Works\" >How sigstore Works<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/#Lets_Encrypt_But_For_Software\" >Let\u2019s Encrypt, But For Software<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks-cloudsavvy-it\/#Taming_the_Wild_West\" >Taming the Wild West<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How the Linux Foundation\u2019s Software Signing Combats Supply Chain Attacks \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10230 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/dab235ae0c4d4777844ff6dec52d7924\/p\/uploads\/2021\/03\/ba184e6b.png\" alt=\"\" width=\"700\" height=\"350\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/closed-finger-on-keyboard-word-open-583886164\" data-credittext=\"Shutterstock\/kenary820\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/closed-finger-on-keyboard-word-open-583886164\">Shutterstock\/kenary820<\/a><\/span><\/figcaption><\/figure>\n<p>Open source projects being compromised and used to spread malware could be a thing of the past. The Linux Foundation\u2019s software signing initiative wants to be a Let\u2019s Encrypt for software releases.<\/p>\n<h2 id=\"the-problem\"><span class=\"ez-toc-section\" id=\"The_Problem\"><\/span>The Problem<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The wide-spread use of open source is astonishing. Open source software, tools, and libraries are found in almost all non-trivial software developments that are taking place. Unfortunately, the very thing that makes open source attractive\u2014you have access to the source code of the software and anyone can submit bug fixes and new features\u2014presents an attack vector that can be exploited by threat actors.<\/p>\n<p>Open source projects have had malicious code injected into them by cybercriminals that use the popularity of the open source product as a distribution method for their malware. Typically it will provide the threat actors with a backdoor onto the victims\u2019 computers. It may also run a keystroke logger or <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> the actual malicious software from the cybercriminal\u2019s servers.<\/p>\n<p>This type of attack is a form of\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Supply_chain_attack\">supply chain attack<\/a>. In a supply chain attack, the victims are not directly compromised. The malicious payload is inserted into something at one of the victim\u2019s suppliers. When the victim procures the tainted item the malicious payload is triggered and the victim is compromised. The most famous example of a supply chain attack was the one used in the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Stuxnet\">Stuxnet<\/a>\u00a0attack on the uranium enrichment plant at Natanz, Iran.<\/p>\n<p>Open source software is an obvious platform for cybercriminals to use for this type of attack. In response, the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Flinuxfoundation.org%2F&amp;key=204a528a336ede4177fff0d84a044482\">Linux Foundation<\/a>\u00a0is launching\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/sigstore.dev\/\">sigstore<\/a>. sigstore is a\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fwww.linuxfoundation.org%2Fen%2Fpress-release%2Flinux-foundation-announces-free-sigstore-signing-service-to-confirm-origin-and-authenticity-of-software%2F&amp;key=204a528a336ede4177fff0d84a044482\">free service<\/a>\u2014jointly developed with\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/about.google\/\">Google<\/a>,\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.redhat.com\/en\">Red Hat<\/a>, and\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.purdue.edu\/\">Purdue University<\/a>\u2014that software developers can use to digitally sign their software releases.<\/p>\n<p>sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file. The package manager is told that there is a dependency in the software that is being installed and that the local library file needs to be upgraded. The remotely-hosted tainted version has a higher version number which satisfies the bogus dependency. The \u201cupgrade\u201d takes place and the system is compromised.<\/p>\n<h2 id=\"how-sigstore-works\"><span class=\"ez-toc-section\" id=\"How_sigstore_Works\"><\/span>How sigstore Works<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Like all signing and certification schemes, the worth of the signature or certificate is tied to the degree of trust people have in the issuing authority. sigstore uses the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/openid.net\/\">OpenID Foundation\u2019s<\/a>\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/openid.net\/connect\/\">OpenID Connect<\/a>\u00a0which is based on the industry-standard\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/X.509\">X.509<\/a>\u00a0scheme for defining and managing certificates.\u00a0sigstore uses the OpenID authentication protocol to bind the certificates to the identity of the developer. Usually, this is their email address or another account identifier.<\/p>\n<p>The sigstore client creates a short-duration key pair. It queries the sigstore <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Public_key_infrastructure\">Public Key Infrastructure<\/a> (PKI) which checks for a valid OpenID Connect verification and issues a certificate if all is well. The certificate is created using the key pair values that will be used to sign the software.<\/p>\n<p>An audit trail of certificates and signings is maintained as an immutable public log. The log can be used to verify software releases and certificates. It provides a publicly-accessible proof of the signature on a file. Subsequent signatures will be unique because the time and date are recorded also.\u00a0This provides a set of assurances on the origins and provenance of the open source files and allows signature-based security policies to trap files that can not be verified and trusted.<\/p>\n<p>If malicious code is injected into an open source project and it is not found by the merge management or code and peer review processes it could be compiled into a binary. If the binary is then digitally signed, sigstore won\u2019t know about that embedded threat and could theoretically certify a malicious release.<\/p>\n<p>In that circumstance the public signing log could be an asset to investigations into the attack, and as a means of early warning to others of a compromised binary. Systems could be built that compare the binary certificates against a database of known good and proven bad releases.<\/p>\n<p>This could work in a similar way to the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned website<\/a>. You can manually search for your email through their website. If your email is found it means it has been included in a data breach. You\u2019re told which data breach from which site exposed your personal details.<\/p>\n<p>It\u2019s not hard to imagine systems that would check the version number and signing authenticity against a reference database that sent back a go\/no-go decision regarding a signed software release. In addition, developers could be notified each time their email address or OpenID Connect ID is been used in a signing event. If they didn\u2019t initiate that event, it needs investigation.<\/p>\n<h2 id=\"lets-encrypt-but-for-software\"><span class=\"ez-toc-section\" id=\"Lets_Encrypt_But_For_Software\"><\/span>Let\u2019s Encrypt, But For Software<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In a\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/security.googleblog.com\/2021\/03\/introducing-sigstore-easy-code-signing.html\">March 2021 blog post<\/a>, Google describes sigstore as being like\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/letsencrypt.org\/\">Let\u2019s Encrypt<\/a>, but for software releases. Let\u2019s Encrypt is a free and open certificate authority that generates <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Public_key_certificate\">SSL\/TLS certificates<\/a> for HTTPS websites. It allows those websites to positively authenticate themselves so visitors can be certain that the website really is what it says it is. Once the identity of the website has been established, the public key information in the certificate is used by the visitor\u2019s browser to encrypt the communications between their computer and the website. The process to get a certificate from Let\u2019s Encrypt is automated.<\/p>\n<p>The Google blog continues: \u201cJust like how Let\u2019s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code. Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable, and auditable.\u201d<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Taming_the_Wild_West\"><\/span>Taming the Wild West<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The way open source software is used today was unimaginable only 10 years ago. The adoption of open source in the wider development world is due to more than accessibility to the source code, the code quality, and the turnaround time for bug-fixes and patches.<\/p>\n<p>Open source used to be regarded with suspicion. But organizations\u00a0<em>get<\/em>\u00a0open source now. The open source model is recognized as having more to do with marketing and publishing than a devotion to the many variants of the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.gnu.org\/licenses\/gpl-3.0.en.html\">GNU General Public License<\/a>\u00a0(GPL).<\/p>\n<p>Mainly, it\u2019s a way to get your code or product <em>out there<\/em>.\u00a0Get a\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/\">GitHub<\/a>\u00a0account, write your program, and tell people it\u2019s available. If it\u2019s any good it\u2019ll grow and, hopefully, snowball. Want to get involved in an open source project? Simple. Push a merge request to their\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Git\">Git<\/a>\u00a0repository, or offer to help with their documentation.<\/p>\n<p>Open source has been disruptive in the most positive of ways.\u00a0But it has also been a free for all. The open source ecosystem has been crying out for something that can provide the software supply chain with transparency, verification, and auditing.<\/p>\n<p>sigstore shows all the potential to fill that need with a system that is\u00a0free, easy, and scalable.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/10200\/how-the-linux-foundations-software-signing-combats-supply-chain-attacks\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How the Linux Foundation\u2019s Software Signing Combats Supply Chain Attacks \u2013 CloudSavvy IT&#8221; Shutterstock\/kenary820 Open source projects being compromised and used to spread malware could be a thing of the past. The Linux Foundation\u2019s software signing initiative wants to be a Let\u2019s Encrypt for software releases. The Problem The wide-spread use of open source is&#8230;<\/p>\n","protected":false},"author":1,"featured_media":204334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/03\/ba184e6b.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-204333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/204333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=204333"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/204333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/204334"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=204333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=204333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=204333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}