back to article Sign of the primes: Linux Foundation serves up free code-signing service

The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release. Signing code involves associating a cryptographic signature with a specific digital artifact – release files, container images, and binaries – so that the …

  1. Bitsminer Silver badge

    Who is missing?

    Can you spell Github? Or Gitlab? Or perl? or cpan? Or rubygems? Or PyPI? Or Crates? Or <insert your favourite repo here>?

    Needs more takeup. And less hype.

  2. Anonymous Coward
    Anonymous Coward

    This will work great!

    People will start trusting code that they download ... without actually checking the code in detail. Yes, I think that this is a good new feature but I don't think that it's completely safe, or guarantees everything. I see these stories and the second thing that always comes to mind is that I can see a way that might work to hack it.

    1. ortunk

      Re: This will work great!

      So you type npm install <packagename> and then read through the plethora of files downloaded by it.

  3. Anonymous Coward
    Anonymous Coward

    ""We don't want to block the bad stuff coming in because the signature signing system is backed by a technology called a transparency log, which is where all of the signatures, and who signed what, is stored," he said. This allows anyone, via an API that's provided, to audit signatures. "

    Verify, but Don't Trust? Who verifies the transparency log, and how?

  4. damiandixon

    Cost for signing installers is expensive

    It's well out of reach for most open source developers and one man bands...

    Anything that reduces the cost and provides an audit trail should be welcomed.

  5. Tzhx

    Not blocking bad stuff coming in?

    This... doesn't seem like the best idea.

    The reason many people would want code signing is to either:

    - get past the additional prompt that warns users of some OS's that applications are unsigned; or

    - get past organisation restrictions that prevent running unsigned code

    Making this more accessible is great for small businesses, but I don't think it makes up for making it more accessible/free for the malware/scamware market where the users they're going to trick who might have thought twice about a warning (or not have permission to get past it) aren't going to go and audit the certificate/signing record of everything "bob from accounting" has sent them and asked them to run to verify their timesheets.

    1. bombastic bob Silver badge
      Unhappy

      Re: Not blocking bad stuff coming in?

      yes this code signing thing has worked SO well for MS Windows...

      </snark>

    2. John Robson Silver badge

      Re: Not blocking bad stuff coming in?

      They are guaranteeing that the code you have was released by the person who is claiming to have released it.

      That's different from inspecting and verifying code for potentially malicious behaviour.

      Not even trying to do the same job. But I could probably auto trust stuff signed by Linus (Torvalds, not Sebastian) or Simon Tatham, and verify that the email address that code is signed with is advertised by the developers in other cases.

      I still have to judge whether to trust the people, but I now know who I am trusting.

  6. steelpillow Silver badge
    Trollface

    transparency

    So how can we audit the hacks to the transparency log's entries in the transparency log - or whatever? Where there's a will, there's a way.

    1. Tzhx

      Re: transparency

      store it on the blockchain /s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like