In cooperation with Red Hat and Google, the Linux Foundation wants to ensure the authenticity of open source software. That strengthens security.
One The Linux Foundation is developing a free signing service for open source software as part of its sigstore project. Developers should be able to use it to easily sign archives, containers and compiled binaries used for distributing open source software. With the signature, the developer confirms that he actually created the software from his source code.
This cryptographic confirmation is intended to prevent unauthorized persons from taking the source code, manipulating it and thus creating falsified versions of the software, for example with intentionally built-in security gaps and Release malicious functions.
sigstore is currently under development. It is supported by Red Hat, Google and the US Purdue University. The service should be free and easy to use when ready. A public transparency log called rekor allows to verify signatures.
