Supply chain attacks undermine our implicit trust in open source in order to harm the developers as well as our customers. Find out how NPM can dramatically minimize supply chain attacks by signing packages using Sigstore.
As stewards for the registry for npm, we have taken the security of the npm registry seriously and continue to make various improvements to enhance the security and reliability of this registry. We’ve announced several modifications over the past few months to increase the security and reliability of the npm such as requiring two-factor authentication along with a more efficient login procedure, as well as the enhanced signature of artifacts. These modifications help to protect open source users from software supply chain attack; in terms of when malicious users attempt to spread malware, they must first breach the account of a maintainer and then installing malicious software on open source dependencies that a lot of developers make use of.
Today, we’re launching an RFC for comments (RFC) that focuses on linking a package to its source repository and build environment. If package maintainers sign up for this service, the users of their products are more confident that the content of the package is consistent with the content of the repository linked to it.
Historically linking packages back to source code was a challenge since it required every project to sign up as well as manage their own keys to cryptographic. A new initiative from the Linux Foundation and Open Source Security Foundation (OpenSSF) named Sigstore makes this method simpler and safer than the previous methods, as it does not require developers to manage the long-lived cryptographic keys. The project has had an early adoption by other ecosystems of package managers. With the release of today’s RFC We are proposing to support the end-to-end signature of packages created by npm by using Sigstore. This will include the creation of attestations regarding the date, time, and location of the method of creating the package and signed, so that it could be later verified.
Secure the supply chain of software is one of the major security issues our industry is facing right now. This idea is a crucial next step, but tackling this issue will require dedication and investment from the entire community. We’re looking forward to hearing your thoughts and are looking forward to embarking along with us