https://www.chainguard.dev/chainguard-labs, the company behind https://www.sigstore.dev/ https://thenewstack.io/sigstore-code-signing-for-software-supply-chain-security/, in collaboration with MIT CSAIL and Purdue University researchers, has unveiled a new preprint titled “https://arxiv.org/abs/2305.06463.” Because as it is, there’s no guarantee that the person signing the code is actually the authorized author.

Or, for example, the https://github.blog/2023-04-19-introducing-npm-package-provenance/ sidesteps this issue by using machine identities, but this doesn’t help with author signature privacy issues. The proposed Speranza approach also requires a package repository to maintain the mapping from package names to commitments to the identities of authorized signers.

By successfully marrying robust verification with crucial privacy measures, it aims to enable deployment on real package repositories and in enterprise settings.

Related Articles