Photo by Bank Phrom on Unsplash
Sigstore: Software Signing for Everybody has been published at the 2022 ACM Computer and Communications Security (CCS) conference in Los Angeles, CA, an academic computer security conference, featuring publications from research universities around the world and industry labs at organizations like Google, Microsoft, Meta, and Amazon. This peer-reviewed research paper describes Sigstore, its security model, some data about its usage, and potential applications and is freely available under a CC-BY 4.0 license. The paper describes a formal attacker model and outlines the possible avenues to attack the sigstore ecosystem. This research also explains how to better harden the ecosystem and prevent such attacks.
It’s a testament to the rate of progress in the Sigstore ecosystem that many of the paper’s data points are already out of date. For instance, when the paper was drafted 9 months ago, there were 2 million entries in the Rekor log; now there are 6 million! In addition, many of the “proposed” adoptions are well underway.
This is an important milestone for the Sigstore community and highlights ways the Sigstore community can participate in innovative research in academic, industry, and standards bodies. Part of this effort to engage is supported by initiatives like the NSF’s Pathways for Open Source Ecosystems (POSE) program (award 2229703), which helps us grow an open community to develop accountable and for public-good software. Solving software supply chain security woes requires people from all backgrounds and areas of expertise.
This paper was possible only due to the hard work of the Sigstore community, and we hope that it represents the beginning of a long line of academic inquiry into securing software with Sigstore!