The Linux Foundation has launched a “sigstore” project for improving software security via crypto software signing and transparency logs. The LF also announced new members for OpenSSF and launched a “DizmeID Foundation” for digital ID credentialing.

The Linux Foundation announced the launch of a sigstore project for cryptographic software signing and announced new members for its Open Source Security Foundation (OpenSSF). Other recent Linux Foundation security announcements include the launch of a DizmeID Foundation for digital ID credentialing and a new commitment from Google and the LF to prioritize funds to underwrite two full-time maintainers for Linux kernel security development (see farther below).

 
Sigstore focuses on artifact code signing

The new sigstore project intends to establish a free service to enable software developers to securely sign software artifacts such as release files, container images, and binaries. Signing materials are then stored in tamper-proof, public transparency logs, which enable the certificates and attestations to be globally visible, discoverable and auditable. Founding members of sigstore include Red Hat, Google, and Purdue University.

sigstore diagram showing SW supply chain risks (left) and sigstore process of manifesting entry into transparency log
(click images to enlarge)

As explained in this Google blog post, the sigstore service will act as an artifact code signing complement to the Linux Foundation backed Let’s Encrypt certificate authority, which provides free certificates and automation tooling for HTTPS. The goal is to ease the process for developers to sign releases and for users to verify them. Due to technical challenges in setting up key management and key compromise and revocation, as well as distributing public keys and artifact digests, “very few open source projects cryptographically sign software release artifacts,” says the Linux Foundation.

There are additional challenges for users seeking out which keys are trustworthy and in mastering validation methods. In addition, digests and public keys are distributed and often stored on unsecured websites. Sigstore aims to remedy these challenges by enabling the deployment of short-lived, ephemeral keys with a trust root leveraged from open and auditable public transparency logs.

“Securing a software deployment ought to start with making sure we’re running the software we think we are,” stated Josh Aas, executive director, ISRG/Let’s Encrypt. “Sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain.”

 
OpenSSF adds members

In another Linux Foundation announcement yesterday, the Open Source Security Foundation announced several new members. Citi, Comcast, DevSamurai, Hewlett Packard Enterprise (HPE), Mirantis, and Snyk will all be joining the OpenSSF, which aims to improve supply chain security for open source software via best practices and education programs.

OpenSSF working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices. Founding members in the now 35-member group include Facebook, Google, Huawei, Intel, Microsoft, Red Hat, Samsung, and other tech heavyweights.

 
DizmeID Foundation takes on ID credentialing

On Feb. 24, the Linux Foundation launched the DizmeID Foundation with the intent to support digital identity credentialing. DizmeID “will combine the benefits of self-sovereign identity with necessary compliance and regulation, with the aim to enable wallet holders with ownership and control over their digital identity and data access and distribution,” says the LF.

The DizmeID Foundation technical project starts with the LF’s Trust Over IP metamodel project and builds upon its three infrastructure layers to work on layer 4. The new layer adds InfoCert’s Blockchain-based Dizme digital identity app on top of the Sovrin public identity utility.

The new DizmeID technology will likely incorporate a Hyperledger stack as well as a monetization layer based on Algorand’s blockchain protocol, “which will enable the exchange of verifiable credentials and the development of new vertical applications,” says the LF. Founding members include InfoCert, Algorand and Fabrick.

 
Google funds kernel security maintainers

Also on Feb. 24, Google and the Linux Foundation announced they are prioritizing funds to underwrite two full-time maintainers for Linux kernel security development. Gustavo Silva and Nathan Chancellor will work exclusively on securing the Linux kernel.

Chancellor will focus on triaging and fixing Clang/LLVM compiler bugs and on establishing continuous integration systems to maintain the process. Future plans include adding features to the kernel using Clang and LLVM.

Silva, meanwhile, will continue his work to eliminate several classes of buffer overflows. This entails transforming all instances of zero-length and one-element arrays into less error-prone flexible-array members. In addition, Silva will continue to catch bugs before they hit mainline “while also proactively developing defense mechanisms that cut off whole classes of vulnerabilities,” says the LF.