We’re excited to report the results for the security audit of sigstore.  Sigstore is a new standard for signing, verifying and protecting software; and has quickly grown into a premier tool for securing the software supply chain. The security review was facilitated by Open Source Technology Improvement Fund and carried out by Include Security.

The goal of security audits is to find vulnerabilities so they can be fixed before attackers exploit them, as well as to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. The sigstore team demonstrated a strong commitment to improving security posture by requesting independent review and actively participating in the audit process.

The results of the security audit are three findings (1 High Risk, 2 Low Risk), fuzzing improvements, and a documented threat model. 

The high-risk finding along with one of the low-risk findings identified through this security audit has been fixed and validated. See below for the full report. 

A big thank you to the Linux Foundation and OpenSSF for supporting the work and to the sigstore project for funding the audit. Furthermore, thank you to the Include Security team for executing the audit and working with us to make and validate fixes. 

Also special thanks to Bob Calloway, Brian Behlendorf, David A. Wheeler, Dan Lorenc, and Luke Hinds for their role in the engagement. 

Proactive security audits go a long way in detecting and fixing vulnerabilities. Everyone around the world depends on OSS, and we would love to do more security audits! If you’re interested in financially supporting this work, contact [email protected].

References:

Link to full report: https://ostif.org/wp-content/uploads/2022/07/OSTIF-2022-Q1-Sigstore-Report-v3.pdf

Link to OpenSSF blog post: https://openssf.org/blog/2022/07/18/results-of-sigstore-and-slf4j-security-audits/