Red Hat, Google and Purdue University lead efforts to ensure software maintainers, distributors and consumers have full confidence in their code, artifacts and tooling

SAN FRANCISCO, Calif., March 9, 2021 –  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the sigstore project. sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. Founding members include Red Hat, Google and Purdue University.

“sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

Understanding and confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering and can lead to various attacks such as swapping out of digests or users falling prey to targeted attacks.

“Securing a software deployment ought to start with making sure we’re running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain,” said Josh Aas, executive director, ISRG | Let’s Encrypt.

Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs.

“I am very excited about the prospects of a system like sigstore. The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation,” said Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue / in-toto project founder.

“sigstore is poised to advance the state of the art in open source development,” said Mike Dolan, senior vice president and general manager of Projects at the Linux Foundation. “We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open source software and security.”

“sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify them. I’m hoping we can make this easy as exiting vim,” Dan Lorenc, Google Open Source Security Team. “Watching this take shape in the open has been fun. It’s great to see sigstore in a stable home.”

For more information and to contribute, please visit: https://sigstore.dev

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for Linux Foundation

503-867-2304

jennifer@storychangesculture.com

The post Linux Foundation Announces Free sigstore Signing Service to Confirm Origin and Authenticity of Software appeared first on Linux Foundation.

We recently launched the LFS260 – Kubernetes Security Essentials eLearning course in partnership with the Cloud Native Computing Foundation (CNCF), the home of Kubernetes. This course provides the skills and knowledge on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. It also gets you ready to sit for the Certified Kubernetes Security Specialist (CKS) exam.

In this new video, Linux Foundation Training & Certification instructor Tim Serewicz, who created the eLearning course and was instrumental in creating the CKS exam, provides an overview of what you can expect during this training, with topics including:

• Cloud security overview
• Preparing to install
• Installing the cluster
• Securing the kube-apiserver
• Networking
• Workload considerations
• Issue detection
• And more…

Watch Tim’s video to learn more about this exciting course and how it can help you improve the security of your cloud native applications!

The post Overview of the Kubernetes Security Essentials Training Course appeared first on Linux Foundation – Training.

By Marco Fioretti

What on Earth is WebAssembly?

WebAssembly, also called Wasm, is a Web-optimized code format and API (Application Programming Interface) that can greatly improve the performances and capabilities of websites. Version 1.0 of WebAssembly, was released in 2017, and became an official W3C standard in 2019.

The standard is actively supported by all major browser suppliers, for obvious reasons: the official list of “inside the browser” use cases mentions, among other things, video editing, 3D games, virtual and augmented reality, p2p services, and scientific simulations. Besides making browsers much more powerful than JavaScript could, this standard may even extend the lifespan of websites: for example, it is WebAssembly that powers the continued support of Flash animations and games at the Internet Archive.

WebAssembly isn’t just for browsers though; it is currently being used in mobile and edge based environments with such products as Cloudflare Workers.

How WebAssembly works

Files in .wasm format contain low level binary instructions (bytecode), executable at “near CPU-native speed” by a virtual machine that uses a common stack. The code is packaged in modules – that is objects that are directly executable by a browser – and each module can be instantiated multiple times by a web page. The functions defined inside modules are listed in one dedicated array, or Table, and the corresponding data are contained in another structure, called arraybuffer. Developers can explicitly allocate memory for .wasm code with the Javascript WebAssembly.memory() call.

A pure text version of the .wasm format – that can greatly simplify learning and debugging – is also available. WebAssembly, however, is not really intended for direct human use. Technically speaking, .wasm is just a browser-compatible compilation target: a format in which software compilers can automatically translate code written in high-level programming languages.

This choice is exactly what allows developers to program directly for the preferred user interface of billions of people, in languages they already know (C/C++, Python, Go, Rust and others) but could not be efficiently used by browsers before. Even better, programmers would get this – at least in theory – without ever looking directly at WebAssembly code or worrying (since the target is a virtual machine) about which physical CPUs will actually run their code.

But we already have JavaScript. Do we really need WebAssembly?

Yes, for several reasons. To begin with, being binary instructions, .wasm files can be much smaller – that is much faster to download – than JavaScript files of equivalent functionality. Above all, Javascript files must be fully parsed and verified before a browser can convert them to bytecode usable by its internal virtual machine.

.wasm files, instead, can be verified and compiled in a single pass, thus making “Streaming Compilation” possible: a browser can start to compile and execute them the moment it starts downloading them, just like happens with streaming movies.

This said, not all conceivable WebAssembly applications would surely be faster – or smaller – than equivalent JavaScript ones that are manually optimized by expert programmers. This may happen, for example, if some .wasm needed to include libraries that are not needed with JavaScript.

Does WebAssembly make JavaScript obsolete?

In a word: no. Certainly not for a while, at least inside browsers. WebAssembly modules still need JavaScript because by design they cannot access the Document Object Model (DOM), that is the main API made to modify web pages. Besides, .wasm code cannot make system calls or read the browser’s memory. WebAssembly only runs in a sandbox and, in general, can interact with the outside world even less than JavaScript can, and only through JavaScript interfaces.

Therefore – at least in the near future – .wasm modules will just provide, through JavaScript, the parts that would consume much more bandwidth, memory or CPU time if they were written in that language.

How web browsers run WebAssembly

In general, a browser needs at least two pieces to handle dynamic applications: a virtual machine (VM) that runs the app code and standard APIs that that code can use to modify both the behaviour of the browser, and the content of the web page that it displays.

The VMs inside modern browsers support both JavaScript and WebAssembly in the following way:

1. The browser downloads a web page written in the HTML markup language, and renders it
2. if that HTML calls JavaScript code, the browser’s VM executes it. But…
3. if that JavaScript code contains an instance of a WebAssembly module, that one is fetched as explained above, and then used as needed by JavaScript, via the WebAssembly APIs
4. and when the WebAssembly code produces something that would alter the DOM – that is the structure of the “host” web page – the JavaScript code receives it and proceeds to the actual alteration.

How can I create usable WebAssembly code?

There are more and more programming language communities that are supporting compiling to Wasm directly, we recommend looking at the introductory guides from webassembly.org as a starting point depending what language you work with. Note that not all programming languages have the same level of Wasm support, so your mileage may vary. 

We plan to release a series of articles in the coming months providing more information about WebAssembly. To get started using it yourself, you can enroll in The Linux Foundation’s free Introduction to WebAssembly online training course.

The post An Introduction to WebAssembly appeared first on Linux Foundation – Training.

Japan is one of the world’s biggest markets for open source software, which means there is a constant need for upskilling of existing talent and to bring new individuals into the community to meet hiring demand. The Linux Foundation is committed to expanding access to quality open source training and certification opportunities, which is why we have developed a number of Japanese language offerings. 

The newest is LFS272-JP Hyperledger Fabric Administration, which became available this week. Hyperledger Fabric – a distributed ledger (blockchain) technology – is intended as a foundation for developing applications or solutions with a modular architecture. Hyperledger Fabric allows components, such as consensus and membership services, to be plug-and-play. Its modular and versatile design satisfies a broad range of industry use cases, and it offers a unique approach to consensus that enables performance at scale while preserving privacy. 

LFS272-JP provides a deep understanding of the Hyperledger Fabric network and how to administer and interact with chaincode, manage peers, and operate basic CA-level functions. Upon completion, participants will have a good understanding of the Hyperledger Fabric network topology, chaincode operations, administration of identities, permissions, how and where to configure component logging, and much more. The course also serves as preparation for the Certified Hyperledger Fabric Administrator (CHFA-JP) exam, which can be taken with a Japanese proctor (the exam itself is conducted in English).

While Hyperledger Fabric Administration is the newest Japanese course offered by Linux Foundation Training & Certification, it is far from alone. Our catalog of Japanese-language offerings includes:

System Administration/Engineering

• LFS201-JP Essentials of Linux System Administration
• Linux Foundation Certified System Administrator (LFCS-JP) – Japanese proctor
• Linux Foundation Certified Engineer (LFCE-JP) – Japanese proctor

Cloud & Containers

• LFS258-JP Kubernetes Fundamentals
• Certified Kubernetes Administrator (CKA-JP) – Japanese proctor
• Certified Kubernetes Application Developer (CKAD-JP) – Japanese proctor

Blockchain

• LFS272-JP Hyperledger Fabric Administration
• Certified Hyperledger Fabric Administrator (CHFA-JP) – Japanese proctor
• Certified Hyperledger Fabric Developer (CHFD-JP) – Japanese proctor

We also partnered with LPI-Japan recently to make certifications even more accessible in Japan, creating new stacked certifications leveraging LPI-Japan’s LinuC 1 and LinuC 2 with The Linux Foundation’s CKA and CKAD.

Linux Foundation Executive Director Jim Zemlin commented, “Japan is one of the top contributors to the open source community globally, in terms of code as well as financial support and end user adoption. We know how important it is to support the open source community in Japan, which is why The Linux Foundation is proud to offer Japanese language training and certification options for that community. Our team looks forward to continuing to expand these learning opportunities in the future.”

The post The Linux Foundation Continues to Expand Japanese Language Training & Certification appeared first on Linux Foundation – Training.