Products
ProDUCtS
Chainguard Images New

Images are our security-first container base images.

Chainguard Enforce Beta

Enforce is a supply chain security solution for containerized workloads.

Professional Services

We can provide live and written training on supply chain security, the SLSA Framework and Sigstore.

Featured
All About That Base Image

Read our latest research paper on base image security.

View whitepaper
Community
Resources
CHAINGUARD RESOURCES
Whitepapers New

Complex software supply chain security
topics explained.

Customer Case Study

Read our case study with Block

Chainguard LabsNew

Original research on open source software and software supply chain security

Blog

Learn about software supply chain security from our experts.

NOW AVAILABLE
Chainguard Academy

Learning starts here
Company
PrivacyTerms
Sign inContact usTry it out
Sign inContact usTry it out
Products
ProDUCtS
Chainguard Images New

Images are our security-first container base images.

Chainguard Enforce Beta

Enforce is a supply chain security solution for containerized workloads.

Professional Services

We can provide live and written training on supply chain security, the SLSA Framework and Sigstore.

Featured
All About That Base Image

Read our latest research paper on base image security.

View whitepaper
Community
Resources
CHAINGUARD RESOURCES
Whitepapers New

Complex software supply chain security
topics explained.

Customer Case Study

Read our case study with Block

Chainguard LabsNew

Original research on open source software and software supply chain security

Blog

Learn about software supply chain security from our experts.

NOW AVAILABLE
Chainguard Academy

Learning starts here
Company
PrivacyTerms
Sign inContact usTry it out
Sign inContact usTry it out

Benefits of Keyless Software Signing

Kaylin Trychon
  •  
January 6, 2023
Tweet
The Case for Farm-to-Table Package Signing

Keyless software signing is a method of authenticating and validating software that does not rely on traditional long lived cryptographic keys. Instead, it uses ephemeral keys tied to digital identities (like your email account) to sign and verify software. 

The use of traditional signing keys makes your software susceptible to “exfiltration attacks” where these keys are stolen and used to sign malicious software. For example, last month Android announced that stolen Android signing keys were being used to sign malware. These “exfiltration attacks” are even more damaging for signing keys than for credentials because authorization of credentials is often an online process, so revoking access is easier. This means that the end user has to take action to rotate or change their key to mitigate potential abuse. 

With keyless signing you don’t have to worry about rotating your keys, because they are short lived. Some of the “key” benefits of keyless software signing include:

Improved security: Keyless signing is more secure than traditional key-based signing because it reduces the risk of key compromise. With keyless signing, the keys are not present on the signing machine, so they cannot be stolen or copied. 

‍Enhanced traceability: Keyless signing provides a more comprehensive and auditable record of the software signing process. This can make it easier to track who signed a particular piece of software and when it was signed. 

‍Increased flexibility: Keyless signing makes it easier to sign software from multiple locations or devices, as the keys do not need to be present on the signing machine. This can be particularly useful for organizations with distributed development teams. Making it easier for teams to sign their software builds vs only signing the software pushed to production. 

‍Reduced reliance on individual team members: Keyless signing reduces the reliance on individual team members for signing software. With keyless signing, multiple people or devices can be authorized to sign software, which can make the process more resilient to the loss of any one person or device.

The use of keyless signing increases the security of your software supply chain and your development teams productivity. 

‍Getting Started with Keyless Signing 

The good news is that introducing keyless signing to your organization has never been easier. Project Sigstore, a free and open source tool designed for signing, verifying, and protecting your software artifacts is now generally available – meaning that your team can start using it today to sign software. 

Sigstore combines a few technologies that can be used independently, or as one single process. It’s a way for development teams to sign off on what they build, without needing to jump through hoops or know tricky security protocols. And it’s a way for anyone using those releases to verify the signatures against a tamper-proof log. Sigstore is the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk.

Let Chainguard Help 

At Chainguard, we’re on a mission to ensure that every link in your software supply chain is secure by default. With Chainguard Enforce Signing, powered by Sigstore, we help our customers deploy keyless signing throughout their organization. This capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy. 

Software signatures are a critical part of software supply chain security – let us help you get it right. Start signing your software today with our Chainguard Enforce 30-day free trial. Chainguard Enforce Signing will be an early access program in private preview for select customers.

For more on this topic:

  • Zero-friction “keyless signing” with Kubernetes
  • Keyless Signing with Tekton on Amazon EKS
  • Keyless Git Commit Signing with Gitsign and GitHub Actions

‍

The Case for Farm-to-Table Package Signing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More articles

Come see us at CloudNativeSecurityCon in Seattle Feb 1-2!

Sarah O'Rourke
  •  
January 27, 2023

Make SBOMs, not GuessBOMs: Why we need to shift left on SBOM generation

Tracy Miranda
  •  
January 26, 2023

Building the first memory safe distro

Dan Lorenc and Ariadne Conill
  •  
January 25, 2023

Don’t break the chain – secure your supply chain today!

Contact us

Chainguard

Please direct security disclosures or questions about our bug bounty program to security@chainguard.dev
Copyright 2022
BlogCareersPrivacyTerms

Sign up for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Chainguard uses cookies to improve your experience and analyze traffic. By using our website, you agree to our privacy policy and our cookie policy.

Accept