SigstoreCon Supply Chain Day 2024

Sigstore has witnessed significant adoption since its launch, becoming a big player in software supply chain security. Research has primarily focused on identity verification and transparency log witnessing (i.e.,verifying log consistency). However, the semantics security (i.e., the content) of log entries remains largely unexplored. Given generic witnessing solutions are not one-size-fits-all, we analyze the dynamics of Rekor log entries to gain insights to enable better misbehavior detection and stronger identity verification. Our analysis answers these questions: * What are the trends in Sigstore adoption over time? * What are the patterns in certificates, and generated signatures? * What kinds of identities are involved in signing? * What actors are performing these signing actions?

Attackers are increasingly exploiting the trust-based, interconnected nature of the open source supply chain, with malware being distributed through package ecosystems, often hidden within the complexity of upstream dependencies. In this talk, we will showcase how Sigstore provenance can serve as a powerful source of truth for verifying package proof-of-origin. The absence of clear provenance, combined with other metadata signals, can act as a strong indicator of potential malicious intent. As a case study, we will discuss a recent spike in DPRK state-sponsored attacks hosted on NPM, where APT groups aimed to harvest cryptocurrencies and establish backdoors on developer machines. Attendees will gain valuable insights into the critical role Sigstore plays in supply chain threat detection, and understand how its broader adoption can help protect the entire ecosystem. By promoting stronger provenance verification, the community can more effectively distinguish between legitimate packages and harmful imitations.