Kubernetes turns to Sigstore to thwart open source software supply chain attacks

The Kubernetes container orchestrator will now include cryptographically signed certificates, using the Sigstore project created last year by the Linux Foundation, Google, Red Hat and Purdue University in a bid to protect against supply chain attacks.

Sigstore certificates are used by the newly released Kubernetes version 1.24 and all future versions.

According to Sigstore founding developer Dan Lorenc, a former member of Google’s open source security team, the use of Sigstore certificates allows Kubernetes users to verify the authenticity and integrity of the distribution they are using “giving users the ability to verify signatures and have greater confidence in the origin of any and all deployed Kubernetes binaries, source packages, and container images.”

It is a step forward for open source software development in the battle against software supply chain attacks.

The Linux Foundation announced the Sigstore project in March 2021. The new Alpha-Omega open source supply chain security project, backed by Google and Microsoft, also uses Sigstore certificates. Google’s open source security team announced the Sigstore-related Cosign project in May 2021 to simplify container image signing and verification, as well as Rekor’s “tamper-resistant” ledger, which enables software maintainers and create systems record signed metadata in an “immutable record”. “.

According to Lorenc, the Kubernetes release team’s adoption of Sigstore is part of its work on the Supply Chain Layers for Software Artifacts, or SLSA, a framework developed by Google to internally secure its software supply chain. which is now a 3-tier spec being set up by Google. , Intel, the Linux Foundation and others. Kubernetes 1.23 achieved SLSA Level 1 compliance in version 1.23.

“Sigstore was a key project in achieving SLSA Level 2 status and getting a head start on achieving SLSA Level 3 compliance, which the Kubernetes community hopes to achieve this August,” says Lorenc.

Lorenc tells ZDNet that Kubernetes’ adoption of Sigstore is a big step forward for the project because it has around 5.6 million users. The Sigstore project is also reaching out to Python developers with a new tool for signing Python packages, as well as major package repositories like Maven Central and RubyGems.

Kubernetes serve as critical focal points to help gain attention, are labor intensive and have a huge impact on the entire supply chain, he says.

These efforts coincide with new projects like the new Package Analysis Project, an initiative by Google and the Linux Foundation’s Open Source Security Foundation (OpenSSF) to identify malicious packages for popular languages ​​like Python and JavaScript.

Such malicious packages are regularly uploaded to popular repositories despite their best efforts, sometimes with devastating consequences for users, according to Google.

Leave a Comment