An inherent weakness of open source code is that it"s difficult to determine its provenance and how it was built, which means that it"s prone to supply chain attacks. Google aims to solve this problem which is why it has collaborated with Red Hat and Smallstep to introduce Sigstore (stylized "sigstore") in the Linux Foundation, making it easier to digitally sign and verify source code.
Google describes sigstore as "Let"s Encrypt for Code Signing". While the latter is responsible for providing certificates and automation tools for HTTPS, the former does the same for code signing.
Additionally, all sigstore certifications and attestations are stored in Transparency Logs backed by Trillian, and can be viewed and audited by anyone. Google says that it understands the challenges behind long-term key management and key distribution so it will issue short-lived certificates based on OpenID Connect grants and a Root Certificate Authority (CA) for the express purpose of code signing.
Red Hat"s Security Engineering Lead Luke Hinds went on to say that:
I am very excited about sigstore and what this means for improving the security of software supply chains. sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.
As it currently stands, sigstore has a fully functioning transparency log, but the WebPKI and client signing tooling is still in prototyping stage and is not ready for general use. The tool is open source and free to use for all developers. The development teams thinks that there are no privacy concerns involved as sigstore does not need access to any personal information except the OpenID Connect grant which will contain the user"s email address. Future plans for sigstore include introducing support for other OpenID Connect providers, updating the documentation, completing the development of the remaining signing infrastructure, and hardening the system for general use. You can find out more about the project on the dedicated website here.