New Code Signing Service sigstore

New Code Signing Service sigstore

Determining the origin and authenticity of open-source code is one of its disadvantages. This is also the reason why it is more prone to chain attacks. Google, in collaboration with Red Hat, and Purdue University, came up with the idea to address this issue. So, they created a Linux Foundation project sigstore to protect the origin of the software by improving software supply chain integrity and verification.


Reduce overall development costs by identifying and eliminating security gaps within an application while still under development.


This project provides software developers with a way to securely sign and protect important software artifacts. For example, release files, container images, binaries, manifests, documents, or logs. After signing the artifact, the record of the signing shall be kept in a public log secured against tampering. In addition, sigstore will be available for free to all developers as well as software providers.

How It Works

sigstore is described as a project like Let’s Encrypt, but for code signing. All certificates and tools for signature automation and verification are free. Moreover, all of them are stored in Transparency Logs backed up by Trillian. They can be freely accessed and checked by anyone.

Also, Google wants to issue short-term certificates that will be issued under OpenID Connect and the Root Certificate Authority (CA) for code signing purposes only. Using OpenID Connect identities brings the possibility users to take advantage of existing security controls such as two – factor authentication or hardware token generators. Another advantage is the fact that the only personal data that the sigstore will have access to is the user’s email address, which is contained in the OpenID. This service does not want to access data such as user’s contacts, email contents, cloud drive or calendar.

In summary, the process of the new service can be described in the following steps according to the documentation:

  • Users generate ephemeral short-lived key pairs. This is possible through the sigstore client.
  • After successful OpenID connect grant, sigstore PKI service will provide a signing certificate.
  • Certificates are recorded into a certificate transparency log.
  • Software signing materials are sent to a signature transparency log.
  • The transparency log introduces a trust root to the users OpenID account.

After the signing operation is complete, the keys can be discarded. This eliminates the need for additional key management.


Assistant Professor of Electrical and Computer Engineering from University of Purdue, Santiago Torres-Arias went on to say that:

“I am very excited about the prospects of a system like sigstore. The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation.”

WebPKI and client signing are currently still in the development stage of prototypes, so their use is still unsuitable for routine work. The developers plan to expand support for other OpenID Connect providers, revise the documentation, and complete the development of the signing infrastructure.