Safety is a fundamental factor at all levels. It does not matter what type of operating system or device we are using. We must always be protected and not make any kind of mistake that could take its toll on us. In this article we echo Sigstore, a new free service that has been introduced by Linux Foundation and that aims to allow developers to sign code and verify open source software to avoid attacks.
Sigstone, the new service to sign and verify software
This new service has been introduced by the Linux Foundation, Red Hat, Google, and Purdue. It aims to allow developers to sign code and thus prevent possible attacks that may target the supply chain.
Keep in mind that on many occasions the open source ecosystem is often subject to attacks. To carry out these attacks, hackers create malicious open source packages and upload them to public repositories with names similar to popular legitimate packages. If a developer mistakenly included the malicious package in their own project, the malicious code would be automatically executed when the project is compiled.
Sigstore appears to prevent this type of attack. It is, as we have indicated, a free and open source software signing service that will allow developers to sign open source software and verify its authenticity.
We can say that it is comparable to Let’s Encrypt , which provides free certificates and automation tools for HTTPS. For its part, Sigstore provides free certificates and tools to automate and verify source code signatures.
Sigstore relies on OpenID Connect-based short-lived certificates, public transparency logs, and a special root CA assigned for code signing only. At the moment this project is under development, so we will have to wait until it is fully operational. Checking SSL certificates is important, as well as any other type that we can find.
Protect the software we install, something essential for security
It is through the programs that we install, the software that we download from the Internet, one of the ways hackers have to sneak malware and attack our computers. They can deploy many types of attacks simply by installing an application .
This makes it very important to choose correctly which software we are going to install, from where we are going to download it and of course always have it updated to correct possible vulnerabilities that may arise and are exploited by third parties.
The idea of the Sigstore project is to give greater authenticity to the software used by developers when creating applications and to be able to offer users safe, authentic programs without any type of risk that could endanger privacy.
But equally, any program can suffer some kind of vulnerability in the future. Hence the importance of always installing all the updates that are available. There are many flaws that could exist and that are exploited by attackers to steal information or access the system.