Keyless software signing is a method of authenticating and validating software that does not rely on traditional long lived cryptographic keys. Instead, it uses ephemeral keys tied to digital identities (like your email account) to sign and verify software.
The use of traditional signing keys makes your software susceptible to “exfiltration attacks” where these keys are stolen and used to sign malicious software. For example, last month Android announced that stolen Android signing keys were being used to sign malware. These “exfiltration attacks” are even more damaging for signing keys than for credentials because authorization of credentials is often an online process, so revoking access is easier. This means that the end user has to take action to rotate or change their key to mitigate potential abuse.
With keyless signing you don’t have to worry about rotating your keys, because they are short lived. Some of the “key” benefits of keyless software signing include:
Improved security: Keyless signing is more secure than traditional key-based signing because it reduces the risk of key compromise. With keyless signing, the keys are not present on the signing machine, so they cannot be stolen or copied.
Enhanced traceability: Keyless signing provides a more comprehensive and auditable record of the software signing process. This can make it easier to track who signed a particular piece of software and when it was signed.
Increased flexibility: Keyless signing makes it easier to sign software from multiple locations or devices, as the keys do not need to be present on the signing machine. This can be particularly useful for organizations with distributed development teams. Making it easier for teams to sign their software builds vs only signing the software pushed to production.
Reduced reliance on individual team members: Keyless signing reduces the reliance on individual team members for signing software. With keyless signing, multiple people or devices can be authorized to sign software, which can make the process more resilient to the loss of any one person or device.
The use of keyless signing increases the security of your software supply chain and your development teams productivity.
Getting Started with Keyless Signing
The good news is that introducing keyless signing to your organization has never been easier. Project Sigstore, a free and open source tool designed for signing, verifying, and protecting your software artifacts is now generally available – meaning that your team can start using it today to sign software.
Sigstore combines a few technologies that can be used independently, or as one single process. It’s a way for development teams to sign off on what they build, without needing to jump through hoops or know tricky security protocols. And it’s a way for anyone using those releases to verify the signatures against a tamper-proof log. Sigstore is the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk.
Let Chainguard Help
At Chainguard, we’re on a mission to ensure that every link in your software supply chain is secure by default. With Chainguard Enforce Signing, powered by Sigstore, we help our customers deploy keyless signing throughout their organization. This capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy.
Software signatures are a critical part of software supply chain security – let us help you get it right. Start signing your software today with our Chainguard Enforce 30-day free trial. Chainguard Enforce Signing will be an early access program in private preview for select customers.
For more on this topic: