Kubernetes enables Sigstore: Seamless signature verification for protection against supply chain attacks that will help more than 6 million developers

Kubernetes announced that it will begin including cryptographically signed certificates in order to add an additional layer of protection against supply chain attacks. This will be possible thanks to the Sigstore project, launched in 2021 by the Linux Foundation, Google, Red Hat and Purdue University and will be available in Kubernetes version 1.24 and future versions.

Dan Lorenc, developer of Sigstore, mentions that the use of these certificates will allow Kubernetes users to verify the authenticity and integrity of the distributions in use, facilitating the signature verification process and providing greater confidence in binaries, source code packages and container images.

Sigstore was announced in March 2021 by the Linux Foundation and is even used by the Alpha-Omega supply chain security project, in which Microsoft and Google collaborate. In 2021, Google also announced the launch of Cosign, which will simplify the signing and verification of container images and the creation of subsystems for the recording of signed metadata.

Kubernetes’ plans are part of its Supply Chain Levels for Software Artifacts (SLSA) framework, which aims to protect its software supply chain configured at three levels in conjunction with Google, Intel, Linux Foundation and other developers. Kubernetes version 1.23 achieved SLSA Level 1 compliance.

Lorenc adds that Kubernetes’ adoption of Sigstore is a breakthrough for the project that currently has around 5.6 million users. Sigstore also reaches out to Python developers with a new tool for signing Python packages, as well as package repositories like Maven Central and RubyGems.

Kubernetes will attract more attention to the project, which could have a considerable impact on the entire supply chain. These efforts coincide with new projects such as the new Package Analysis Project, an initiative of Google and the Linux Foundation’s Open Source Security Foundation (OpenSSF) for the identification of malicious packages for popular languages such as Python and JavaScript.

Threat actors often upload malicious packages into legitimate repositories despite constant monitoring, which have become one of the main supply chain attack vectors, with very unpleasant consequences for users.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.