Benefits of keyless software signing
Keyless software signing is a method of authenticating and validating software that does not rely on traditional long lived cryptographic keys. Instead, it uses ephemeral keys tied to digital identities (like your email account) to sign and verify software.
The use of traditional signing keys makes your software susceptible to “exfiltration attacks” where these keys are stolen and used to sign malicious software. For example, last month Android announced that stolen Android signing keys were being used to sign malware. These “exfiltration attacks” are even more damaging for signing keys than for credentials because authorization of credentials is often an online process, so revoking access is easier. This means that the end user has to take action to rotate or change their key to mitigate potential abuse.
With keyless signing you don’t have to worry about rotating your keys, because they are short lived. Some of the “key” benefits of keyless software signing include:
Improved security: Keyless signing is more secure than traditional key-based signing because it reduces the risk of key compromise. With keyless signing, the keys are not present on the signing machine, so they cannot be stolen or copied.
Enhanced traceability: Keyless signing provides a more comprehensive and auditable record of the software signing process. This can make it easier to track who signed a particular piece of software and when it was signed.
Increased flexibility: Keyless signing makes it easier to sign software from multiple locations or devices, as the keys do not need to be present on the signing machine. This can be particularly useful for organizations with distributed development teams. Making it easier for teams to sign their software builds vs only signing the software pushed to production.
Reduced reliance on individual team members: Keyless signing reduces the reliance on individual team members for signing software. With keyless signing, multiple people or devices can be authorized to sign software, which can make the process more resilient to the loss of any one person or device.
The use of keyless signing increases the security of your software supply chain and your development teams productivity.
Getting Started with Keyless Signing
The good news is that introducing keyless signing to your organization has never been easier. Project Sigstore, a free and open source tool designed for signing, verifying, and protecting your software artifacts is now generally available – meaning that your team can start using it today to sign software.
Sigstore combines a few technologies that can be used independently, or as one single process. It’s a way for development teams to sign off on what they build, without needing to jump through hoops or know tricky security protocols. And it’s a way for anyone using those releases to verify the signatures against a tamper-proof log. Sigstore is the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk.
Let Chainguard Help
At Chainguard, we’re on a mission to ensure that every link in your software supply chain is secure by default. With Chainguard Enforce Signing, powered by Sigstore, we help our customers deploy keyless signing throughout their organization. This capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy.
Software signatures are a critical part of software supply chain security – let us help you get it right. Start signing your software today with our Chainguard Enforce 30-day free trial. Chainguard Enforce Signing will be an early access program in private preview for select customers.
For more on this topic:
Share this article
Related articles
- Product
Introducing New Updates to the Chainguard Images Directory
We've improved the Chainguard Images Directory with Helm charts for faster deployments, an ROI calculator, and more refreshed data to improve your experience.
Ron Norman, Director of UX and Design, and Julian Vermette, Principal Software Engineer
- Product
Introducing the Self-Serve Catalog Experience
Chainguard launches the Self-Serve Experience for Catalog customers: instantly add, rename, or remove container images from our catalog, no tickets required.
Tony Camp, Staff Product Manager
- Product
Custom Assembly Updates: Create Multiple, Customized Variants of a Chainguard Container
Customize Chainguard Containers with the latest Custom Assembly update. You can create, edit, and manage secure, zero-CVE image variants directly in the console.
Tony Camp, Staff Product Manager
- Product
Class in Session: Chainguard Contributes to the Higher Education Community
Catch up on what Chainguard is doing with higher education institutions to advance open source security and build the next generation of innovation.
Ewan Simpson, Higher Education Advocate, and SJ Cushing, Field Marketing Manager, Higher Education
- Product
Secure and Free MinIO Chainguard Containers
MinIO pulled its free images—but Chainguard has you covered. Get zero-CVE, continuously built MinIO and MinIO Client containers, free and secure from Chainguard.
Manfred Moser, Senior Principal Developer Relations Engineer, Dimitri John Ledkov, Senior Principal Software Engineer, Lisa Tagliaferri, Senior Director, Developer Enablement, and Aaditya Jain, Senior Product Marketing Manager
- Product
Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection
Chainguard Libraries for Python, trusted open source language libraries designed for CVE remediation and malware protection, is now generally available.
Bria Giordano, Director, Product Marketing, and Anushka Iyer, Product Marketing Manager