The Kubernetes and sigstore
communities today are announcing that Kubernetes is adopting sigstore in
production for signing artifacts and verifying signatures, enabling
Kubernetes users for the first time to verify that the distribution they are
using is exactly what it claims to be.
sigstore,
introduced just last year, is a free signing service for software developers
that improves the security of the software supply chain by enabling the easy
adoption of cryptographic software signing backed by transparency log
technologies. As Wired put it, it's like the "John
Hancock and wax seal of the digital era." It has quickly become the standard
for signing, verifying and protecting software for its ability to automate digitally signing
and checking software artifacts, enabling software to have a safer chain of
custody that can be traced back to the source.
Kubernetes 1.24, released
today, and all future releases will include cryptographically signed sigstore
certificates, giving users the ability to verify signatures and have greater
confidence in the origin of each and every deployed Kubernetes binary, source
code bundle and container image.
"This is a huge step in
protecting the integrity of the Kubernetes ecosystem and demonstrates that code
signing at enormous scale is possible and frankly necessary due to the increase
in supply chain attacks," said Tracy Miranda, head of open source at
Chainguard. "This adoption and integration is the result of many months of work
with multiple stakeholders and a testament to the power of open source collaboration."
"It's
great to see adoption of sigstore, especially with a project such as Kubernetes
which runs many critical workloads that need the utmost protection," said Luke
Hinds, Security Engineering Lead at Red Hat, CTO & Member of the Kubernetes
Security Response Team & Founder of the sigstore Project.
"Kubernetes is a well known
and widely adopted open source project and can inspire other open source
projects to improve their software supply chain security by following SLSA
levels and signing with sigstore," said Bob Callaway, Staff Software Engineer
at Google, sigstore TSC member and project founder. "We built sigstore to be
easy, free and seamless so that it would be massively adopted and protect us
all from supply chain attacks. Kubernetes choice to use Ssigstore is a
testament to that work."
The Kubernetes release team
in early 2021 began exploring SLSA compliance to improve Kubernetes software
supply chain security. SLSA is a security framework that includes a checklist
of standards
and controls to prevent tampering, improve integrity, and secure packages and
infrastructure in your projects, businesses or enterprises. sigstore was a key project
in achieving SLSA level 2 status and getting a head start towards achieving
SLSA level 3 compliance, which the Kubernetes community expects to reach this
August.
Sigstore
also delivers a variety of benefits to the Kubernetes community, including:
- sigstore's keyless
signing gives a great developer experience and removes the need for
painful key management.
- sigstore's public
transparency log (Rekor) and APIs mean Kubernetes consumers may easily
verify signed artifacts.
- sigstore's use of
standards, such as support for any Open Container Initiative (OCI)
artifact (including containers, Helm Charts, configuration files and
policy bundles) and OpenID Connect (OIDC), meant it could integrate
seamlessly with other tools and services.
- The very active, open
source and vendor neutral sigstore community gives confidence that the
project will be rapidly adopted and become a de-facto industry standard.
"For
years now SIG Release has been working to incrementally enhance the robustness
of the Kubernetes project's releases. This latest announcement, and the
collaboration across open source communities which made it possible, comes in
the context of a growing awareness in industry that software supply chains and
open source project releases are a critical area in which we must all work to
improve. Security is a never ending journey, but each step delivered to
decrease attackers' ability to undermine the integrity of our supply chains is
an important one" said
Tim
Pepper,
Head of Open Source Technology Center at VMware, Kubernetes Steering Committee
and Emeritus SIG Release Lead.
"I'm
personally proud of the whole SIG Release team and especially the Release
Engineering subproject. We managed to deliver an important milestone as part of
our overall Roadmap and Vision to establish a consumable, introspectable, and
secure supply chain for Kubernetes. Acting as a role model for supply chain
security is one of the most important efforts we're working on right now. In
the Kubernetes v1.24 release cycle, we managed to finish more than 50 GitHub
Issues and Pull Requests only for the Minimum Valuable Product (MVP) of
container image signing, which is a tremendous achievement for the whole team!
I'd like to say thank you again on behalf of the SIG Release leadership team
and we're looking forward to our bright future of supply chain security," said
Sascha Grunert, Kubernetes SIG Release Chair and Senior Software Engineer at
RedHat.
In addition to the millions
of developers who use Kubernetes directly or indirectly, this benefits all
those in a company aiming to be compliant with the recent NIST Secure Software
Development Framework (SSDF) requirements. (See sigstore
+ NIST SSDF).