One of the largest trust obstacles facing software developers today is the mitigation and prevention of software supply chain attacks. A software supply chain attack can be thought of as any compromise that enables some malicious behavior to take place. Beyond being a simple security issue, a supply chain attack is particularly bad because effects can be deliberate, they can go unnoticed for a very long time, and the attack can be clandestine. Supply chain attacks on computer code or executable files are nothing new, but their frequency and severity is dramatically increasing.
Securing software from supply chain attacks is actually a very hard problem. According to a report published by the director of national intelligence:
“Attackers may seek to exploit tools, dependencies, shared libraries, and third-party code in addition to compromising the personnel and infrastructure of developers and distributors.”
There are many different attack surfaces and methods used to compromise the software supply chain. A single solution will not comprehensively solve this growing problem.
Developers have adopted code commit signing as an important step in mitigating the supply chain attack surface. Using cryptography, code commit signing indicates the origin of changes within source control systems. Code signing can additionally help end users determine if a binary or executable is as the developer intended and has not been altered. If a recipient trusts a particular cryptographic key or certificate, then software and code signed with that key or certificate has certain provenance assurances. Combined with proper key or certificate identity verification, much stronger trust guarantees are possible.
I have used hardware token PGP keys for some time to sign project artifacts, invoices, receipts, and other communications. I have also recently begun signing my source code commits and tags using that same PGP key. I believe that signing my work with my hardware token-generated cryptographic keys combined with other workflow changes will lessen the total attack surface for software supply chain attacks. I do believe that this is an important small step for all developers to take and that it will make a meaningful difference if enough developers do it.
For information on specific PGP keys that Baseline Softworks, LLC uses to sign software or source code, check out the End-To-End Encryption page. If you are interested in creating your own hardened PGP key, then read the tutorial by Eric Severance (esev.com) for a good start point.