The Linux Foundation is launching its new sigstore project to provide better security and protection for all aspects of the software supply chain. The new project will enable developers to sign specific aspects of their development process, ensuring that files and other assets carry strong, tamper-proof encryption.

sigstore to Protect Software Origins

The Linux Foundation's sigstore is a free-to-use, non-profit public good software signing service that will use existing key technology to protect software development supply chains better.

It will also use transparent logging technologies to make it easier to trace the "provenance, integrity, and discoverability" of the software supply chain, making it easier for both project owners and contributors to trust and monitor changes.

In short, sigstore could provide software developers an easier to use and free option for protecting the important files associated with a project. Developers can use sigstore to sign release files, binaries, manifests, documents, logs, and more.

Once signed, the details are added to a "tamper-resistant public log" known as rekor, which the Linux Foundation has also developed.

Users are susceptible to various targeted attacks, along with account and cryptographic key compromise. Keys in particular are a challenge for software maintainers to manage. Projects often have to maintain a list of current keys in use, and manage the keys of individuals who no longer contribute to a project.

Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue, is "very excited about the prospects of a system like sigstore."

The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure.

Related: How to Set Up SSL on Your Site Quickly and for Free With Let's Encrypt

Protecting Vulnerable Software Developers

The Linux Foundation's sigstore project is bringing attention to a vulnerable area for software developers. Currently, very few projects actively sign software artifacts. It's time-consuming, requires extra management, and the time is often better spent elsewhere—this, rather than dealing with complex key management mechanisms.

Related: The Myths About HTTPS and SSL Certificates You Shouldn't Believe

Currently, many developers opt for the easiest option possible, hiding critical encryption keys in readme files or other vulnerable places. Using potentially easily accessible files that lack protection is a recipe for disaster, as seen with the various GitHub and Bitbucket breaches over the years.

sigstore, then, should make it at least a bit easier to manage encryption keys for software projects, freeing up developers to continue with the bits of work they actually enjoy.