Stacklok was founded in 2023 by Craig McLuckie (co-creator of Kubernetes) and Luke Hinds (creator of the OpenSSF project Sigstore), with the goal of helping developers produce and consume open source software more safely.
As malicious attacks on open source software continue to grow in number and become more sophisticated (like the recent XZ Utils incident), governments and organizations are calling for increased security and protection against these attacks. Yet open source maintainers—who are often unpaid volunteers, with other full-time jobs—lack the time to stay up to speed on security best practices, and access to freely available tools that can proactively keep their software secure.
To help open source communities and developers produce and consume open source software more safely, Stacklok is harnessing the power of Sigstore, highlighted in this case study.
Implementation of Sigstore
Luke Hinds created Sigstore during his time as a distinguished engineer at Red Hat to provide an easier and more secure way for developers to sign and verify their software artifacts.
Stacklok integrates Sigstore with two product offerings to address software supply chain security for open source consumers and producers. First, we integrate Sigstore with Trusty, a free-to-use web app that provides data and analysis for developers on the supply chain risk of their open source dependencies. Our risk model incorporates Sigstore signatures and metadata to gauge the trustworthiness of open source packages along with other project signals and community metrics.
Next, we integrate Sigstore with Minder, a software supply chain security platform that is available as a self-hosted platform or as-a-service (free for public repos). Minder helps maintainers more easily use open source projects like OpenSSF’s Sigstore, SLSA and OSV schema to secure their project repos, software artifacts, and build pipelines.
Minder provides an out-of-the-box policy template enabling users to verify that container images in developers’ build pipelines have been signed using Sigstore. When the signing certificate includes build metadata, Minder can verify that artifacts originate from a specific source code repository and CI workflow. Minder can also enforce policy on provenance metadata by verifying SLSA attestations. It integrates with GitHub’s new Artifact Attestations feature to discover Sigstore-signed supply chain data for any artifact.
Challenges and Solutions
While Sigstore makes it dramatically easier for developers to sign their software artifacts, the majority of software artifacts today are still unsigned. A verifiable way to link artifacts back to their source code is critical for preventing malicious attacks and generally for ensuring code quality.
Increased scrutiny on open source security due to recent public incidents like the XZ Utils vulnerability, as well as legislation like Executive Order 14028, means that it’s never been more critical for open source maintainers and communities to take action to secure their software projects and make sure consumers know they’re secure. That’s why we’ve made our products free to use for open source communities. Our goal is to increase awareness among the open source community of the importance of Sigstore and build provenance, and help make it easier for communities to automate artifact signing and verification and make it part of their software development lifecycle.
Community Partnership
Stacklok is not only an active user of OpenSSF resources, but we also contribute back to the OpenSSF community. Luke Hinds, CTO, currently acts as the chair of Sigstore’s technical steering committee, and previously held a community-elected position on the foundation’s first Technical Advisory Council. Engineer Rado Dmitrov is a maintainer of go-tuf, a library used in both sigstore-go and cosign/sigstore. Engineer Adolfo García Veytia is the creator of OpenVEX and Protobom, two OpenSSF projects focused on SBOM standardization and adoption.
Additionally, several Stacklok engineers participate in key OpenSSF initiatives and working groups, including operating Sigstore’s Public Good instance and participating in the Supply Chain Integrity and Securing Critical Projects groups.
Benefits and Future Directions
The primary benefit for Stacklok in using Sigstore has been to help users of our product offerings more easily take advantage of Sigstore to secure their software supply chains. Looking ahead, we plan to build pre-configured policy templates to help open source communities and developers more easily meet OpenSSF Scorecard security standards and SLSA build levels. We also plan to provide deeper support for writing more robust security policies using metadata from GitHub-generated SLSA provenance attestations.
Conclusion
Stacklok’s implementation of Sigstore reflects our company’s commitment to helping open source communities more easily adopt open source security tools and frameworks to keep their projects secure. As cyberthreats evolve, usage of critical tools like Sigstore can help maintainers safeguard their projects from malicious attacks and tampering, and maintain consumers’ trust in adopting open source software. We look forward to both continuing to contribute to Sigstore and the broader OpenSSF ecosystem, and to supporting more open source communities in using OpenSSF technologies to improve the security of their projects.
For more information about Stacklok and our products, visit www.stacklok.com.