Security
Headlines
HeadlinesLatestCVEs

Headline

Github Moves to Guard Open Source Against Supply Chain Attacks

The popular Microsoft-owned code repository plans to roll out code signing, which will help beef up the security of open source projects.

Wired
#web#google#microsoft#linux#red_hat#nodejs#git#java#kubernetes

Following the 2020 SolarWinds cyberespionage campaign in which Russian hackers slipped tainted updates into a widely used IT management platform, a series of other software supply chain attacks has continued to show the urgent need to lock down software chains of custody. And the issue is particularly pressing in open source where projects are inherently decentralized and often ad hoc endeavors. After a series of worrying compromises to widely downloaded JavaScript software packages from the prominent “npm” registry, which is owned by GitHub, the company laid out a plan this week to offer expanded defenses for open source security.

GitHub, which itself is owned by Microsoft, announced on Monday that it plans to support code signing, a sort of digital wax seal, for npm software packages using the code signing platform Sigstore. The tool grew out of cross-industry collaboration to make it much easier for open source maintainers to verify that the code they create is the same code that ends up in the software packages actually being downloaded by people worldwide.

“While most npm packages are open source, there’s currently no guarantee that a package on npm is built from the same source code that’s published,” says Justin Hutchings, GitHub’s director of product management. “Supply chain attacks are on the rise, and adding signed build information to open source packages that validates where the software came from and how it was built is a great way to reduce the attack surface.”

In other words, it’s all about creating a cryptographically verified and transparent game of telephone.

Dan Lorenc, CEO of Chainguard, which co-develops Sigstore, emphasizes that while GitHub isn’t the only component of the open source ecosystem, it’s an absolutely crucial town square for the community because it’s where the vast majority of projects store and publish their source code. When developers actually want to download open source applications or tools, though, they typically go to a package manager

“You don’t install source code directly, you usually install some compiled form of it, so something has happened in between the source code and the creation of the package. And up until now, that whole step has just been a black box in open source,” Lorenc explains. “You see the code and then go and download the package, but there’s nothing that proves that the package came from that code or the same person was involved, so that’s what GitHub is fixing."

By offering Sigstore to package managers, there’s much more transparency at every stage of the software’s journey, and the Sigstore tools help developers manage cryptographic checks and requirements as software moves through the supply chain. Lorenc says that many people are shocked to hear that these integrity checks aren’t already in place and that so much of the open source ecosystem has been relying on blind trust for so long. In May 2021, the Biden White House issued an executive order that specifically addressed software supply chain security.

“People say, ‘didn’t we already have this?’ That gap where there’s the code and then there’s the package—most people just don’t believe you or are terrified," Lorenc says.

Sigstore is co-developed by The Linux Foundation, Google, Red Hat, Purdue University, and Chainguard. The open source software development platform Kubernetes now supports Sigstore, and there is an official tool for signing Python package distributions using Sigstore.

“Traditional methods of managing signing keys just don’t scale well to the sheer size of the open source community and don’t give insight into how the software was built," GitHub’s Hutchings says. “One of the things we like about Sigstore is that it’s zero-configuration for end users, so we can scale this up with our developer ecosystem regardless of where the source code lives."

Similar to the massive industry effort to promote HTTPS web encryption, made possible in large part by tools like Let’s Encrypt from the nonprofit Internet Security Research Group, Sigstore relies on being free and easy to use to spur adoption. Github says it is starting with a proposal on how Sigstore will be implemented for npm and an open comment period to get feedback from the community on exactly how the tool will be deployed. But ultimately the goal is to bring such code signing to as much of the open source world as possible to make supply chain attacks much more difficult.

“We want to see a world where eventually all software artifacts are signed and linked back to the source code,” GitHub’s Hutchings says. “That is why it is so important to build on an open technology stack like Sigstore that other packaging repositories can adopt as well."

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist