 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
With the release of Kubernetes 1.24 on May 4, for the first time, over five million Kubernetes developers can verify that the distributions they’re using are what they claim to be. That’s because with this release Kubernetes is adopting Sigstore for signing artifacts and verifying signatures. This is a major move forward for Kubernetes security.
As we all know, container supply chain security has become a critical issue. All too often software components are poisoned, and every program built on them wither and die with them. Introduced last year, Sigstore is a free software signing service. It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. The sigstore will be free to use by all developers and software providers. This gives software artifacts a safer chain of custody that can be secured and traced back to their source.
One reason this is such a big deal, Tracy Miranda, developer security company Chainguard‘s head of open source, explained is that it’s “a huge step in protecting the integrity of the Kubernetes ecosystem and demonstrates that code signing at an enormous scale is possible and frankly necessary due to the increase in supply chain attacks.”
It’s the ease of use that’s important here. We’ve long known that it was good security to cryptographically sign and verify programming elements, but most earlier cryptographic signature tools have either been too cumbersome or too confusing to use. Without easy-to-use tools to digitally sign their code, few developers are going to bother. That’s where Sigstore came in.
As Bob Callaway, a Google Staff Software Engineer and Sigstore project founder, said “We built Sigstore to be easy, free, and seamless so that it would be massively adopted and protect us all from supply chain attacks. Kubernetes’ choice to use Sigstore is a testament to that work.”
The Kubernetes release team saw the importance of this effort. In early 2021, the crew began exploring Supply chain Levels for Software Artifacts, (SLSA, pronounced salsa) compliance to improve Kubernetes software supply chain security. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve the integrity, and secure the packages and infrastructure of your projects. Sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August.
Sigstore also delivers a variety of benefits to the Kubernetes community, including:
“Security is a never-ending journey, but each step delivered to decrease attackers’ ability to undermine the integrity of our supply chains is an important one,” said Tim Pepper, VMware’s Head of Open Source Technology Center and Kubernetes Steering Committee. Sigstore’s adoption by Kubernetes in its next release is a big step forward.
