Kubernetes uses Sigstore to thwart open source software supply chain attacks


The Kubernetes container orchestrator will now include cryptographically signed certificates, using the Sigstore project created last year by the Linux Foundation, Google, Red Hat and Purdue University to protect against blockchain attacks. ‘supply.

Sigstore certificates are used in the just released Kubernetes version 1.24 and all future releases.

According to Dan Lorenc, founding developer of Sigstorea former member of Google’s open source security team, the use of Sigstore certificates allows Kubernetes users to verify the authenticity and integrity of the distribution they are using by “giving users the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle, and container image.”

This is a step forward for open source software development in the fight against software supply chain attacks.

The Linux Foundation announced the Sigstore project in March 2021. The new Alpha-Omega open-source supply chain security project, which is backed by Google and Microsoft, also uses Sigstore certificates. Google’s open source security team has announced the Project linked to Sigstore Cosign in May 2021 to simplify signing and verifying container images, as well as Rekor “tamper-proof” registry, which allows software maintainers and system builders to save signed metadata in an “immutable record”.

According to Lorenc, the Kubernetes release team’s adoption of Sigstore is part of their work on supply chain tiers for software artifacts, or SLSA – a framework developed by Google to internally protect its software supply chain which is now a 3-tier specification shaped by Google, Intel, the Linux Foundation and others. Kubernetes 1.23 achieved SLSA Level 1 compliance in version 1.23.

“Sigstore has been a key project in achieving SLSA Level 2 status and getting a head start toward SLSA Level 3 compliance, which the Kubernetes community expects to achieve in August,” Lorenc said.

Lorenc tells ZDNet that Kubernetes’ adoption of Sigstore is a major step forward for the project as it has around 5.6 million users. The Sigstore project also approaches Python developers with a new tool to sign Python packagesas well as major package repositories such as Maven Central and RubyGems.

Kubernetes serves as critical focal points to help attract attention, takes a large amount of work, and has an outsized impact on the entire supply chain, he says.

These efforts coincide with new projects like the new Package Analysis Project, an initiative by Google and the Linux Foundation’s Open Source Security Foundation (OpenSSF) to identify malicious packages for popular languages ​​like Python and JavaScript.

Malicious packages like are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users, according to Google.


Comments are closed.