Who is missing?
Can you spell Github? Or Gitlab? Or perl? or cpan? Or rubygems? Or PyPI? Or Crates? Or <insert your favourite repo here>?
Needs more takeup. And less hype.
The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release. Signing code involves associating a cryptographic signature with a specific digital artifact – release files, container images, and binaries – so that the …
People will start trusting code that they download ... without actually checking the code in detail. Yes, I think that this is a good new feature but I don't think that it's completely safe, or guarantees everything. I see these stories and the second thing that always comes to mind is that I can see a way that might work to hack it.
""We don't want to block the bad stuff coming in because the signature signing system is backed by a technology called a transparency log, which is where all of the signatures, and who signed what, is stored," he said. This allows anyone, via an API that's provided, to audit signatures. "
Verify, but Don't Trust? Who verifies the transparency log, and how?
This... doesn't seem like the best idea.
The reason many people would want code signing is to either:
- get past the additional prompt that warns users of some OS's that applications are unsigned; or
- get past organisation restrictions that prevent running unsigned code
Making this more accessible is great for small businesses, but I don't think it makes up for making it more accessible/free for the malware/scamware market where the users they're going to trick who might have thought twice about a warning (or not have permission to get past it) aren't going to go and audit the certificate/signing record of everything "bob from accounting" has sent them and asked them to run to verify their timesheets.
They are guaranteeing that the code you have was released by the person who is claiming to have released it.
That's different from inspecting and verifying code for potentially malicious behaviour.
Not even trying to do the same job. But I could probably auto trust stuff signed by Linus (Torvalds, not Sebastian) or Simon Tatham, and verify that the email address that code is signed with is advertised by the developers in other cases.
I still have to judge whether to trust the people, but I now know who I am trusting.