The
Linux Foundation, BastionZero and Docker announced the launch of
OpenPubkey
as a Linux Foundation open source project. To coincide with the launch
of OpenPubkey, BastionZero is announcing the integration of OpenPubkey
for Docker container signing, to help secure the open source software
ecosystem with zero-trust passwordless authentication.
The OpenPubkey protocol was developed as part of BastionZero's secure infrastructure access product.
OpenPubkey enables users to securely and accurately bind cryptographic
keys to users and workloads by turning an OpenID Connect Identity
Provider (IdP) into a Certificate Authority (CA). With the rollout of
this integration, Docker users can enhance software supply chain
security.
This new cryptographic protocol empowers developers to build out
software supply chain or security applications. OpenPubkey augments
OpenID Connect to enable workloads and users to sign artifacts under
their OpenID identity. These keys can be used to cryptographically sign
statements, enabling applications such as secure remote access or
software supply chain security features such as signed builds,
deployments, and code commits.
"The Linux Foundation is proud to host the OpenPubkey Project," said Jim Zemlin,
Executive Director of the Linux Foundation. "We believe this initiative
will play a pivotal role in strengthening the security of the open
source software community. We encourage developers and organizations to
join this collaborative effort in enhancing software supply chain
security."
"We introduced OpenPubkey as its own standalone
protocol to make it easy and secure to use digital signatures with
OpenID Connect," said Ethan Heilman,
co-founder and CTO of BastionZero. "We are excited to partner with
Docker to offer its community of software developers and open source
contributors a simple and convenient way for users, service accounts,
machines, or workloads to create digital signatures using their
identity."
"TestifySec recognizes the value in enhancing software supply chain security," said Cole Kennedy,
CEO of TestifySec. "We're impressed with OpenPubkey's approach to easy
and trustworthy signing. Docker's collaboration with Bastion Zero has
our full support, and we're eager to see the broader community benefit
from it."
BastionZero and Docker are excited to bring this
technology to the broader open source community under the Linux
Foundation and aim to expand the reach of OpenPubkey, foster increased
collaboration, and improve software security across the open source
ecosystem. To learn more about how the integration of OpenPubkey is
enhancing open source software supply chain security, including how to
get involved, contribute, and join the community, please visit the GitHub page.