Supply Chain Security

Code Signing Infrastructure & Supply Chain Security

The software supply chain is the new attack surface. SolarWinds, Codecov, and thousands of dependency confusion attacks demonstrate that compromising build systems yields access to every downstream consumer. Cryptographic provenance establishes trust from source to deployment.

SLSA Level 3 Sigstore in-toto SBOM SSDF Firmware Signing
Federal Requirements: EO 14028 & SSDF Compliance

Executive Order 14028 (Improving the Nation's Cybersecurity) mandates software supply chain security for federal contractors. NIST SP 800-218 (Secure Software Development Framework) establishes baseline practices. OMB M-22-18 requires SBOM provision for software sold to federal agencies.

Organizations selling to the U.S. government must demonstrate secure development practices including: build environment hardening, provenance attestation, dependency scanning, and cryptographic signing of all artifacts.

The Epistemology of Software Provenance

Code signing traditionally answered a narrow question: "Was this binary produced by the claimed publisher?" Modern supply chain security demands broader provenance: "Was this artifact built from the claimed source, using the claimed build process, with all dependencies verified, in a tamper-evident environment?"

The SLSA framework (Supply-chain Levels for Software Artifacts) codifies these requirements into graduated assurance levels. SLSA Level 1 provides basic provenance documentation; Level 3 requires hardened build platforms with non-falsifiable provenance; Level 4 demands two-party review and hermetic builds. Each level represents increasing resistance to supply chain attacks.

Sigstore operationalizes these principles through keyless signing—ephemeral keys generated at build time, backed by identity from OIDC providers, with signatures recorded in an immutable transparency log (Rekor). This eliminates key management overhead while providing stronger guarantees than traditional code signing.

SLSA Security Levels & Requirements
SLSA Level 1 Documentation ✓ Scripted build ✓ Provenance exists ✗ No verification ✗ Mutable history Resists: Accidental SLSA Level 2 Hosted Build ✓ Hosted build service ✓ Signed provenance ✓ Build service auth ✗ Build can be modified Resists: Tampering SLSA Level 3 Hardened Build ✓ Hardened platform ✓ Non-falsifiable prov. ✓ Isolated build ✓ Ephemeral environment Resists: Compromise RECOMMENDED Target: SLSA Level 3 for production software Required for federal sales

Sigstore: Keyless Code Signing

Traditional code signing suffers from key management complexity: private keys must be generated securely, stored in HSMs, rotated periodically, and revoked when compromised. Key compromise invalidates all previously-signed artifacts; key loss prevents future signing. Sigstore eliminates this burden through keyless signing.

Sigstore Component Architecture
Fulcio, Rekor, and Cosign integration
Fulcio
Certificate Authority that issues short-lived certificates bound to OIDC identities. Certificates valid for 10 minutes, eliminating key management.
Rekor
Immutable transparency log recording all signing events. Merkle tree structure enables tamper detection and inclusion proofs.
Cosign
CLI tool for signing and verifying container images and blobs. Integrates with Fulcio/Rekor for keyless workflow.
# Sign a container image (keyless)
$ cosign sign --yes ghcr.io/myorg/myimage:v1.0.0
Generating ephemeral keys...
Retrieving signed certificate from Fulcio...
Pushing signature to registry...
Uploading to transparency log (Rekor)...
tlog entry: https://rekor.sigstore.dev/api/v1/log/entries/...

# Verify signature
$ cosign verify \
    --certificate-identity "builder@myorg.iam.gserviceaccount.com" \
    --certificate-oidc-issuer "https://accounts.google.com" \
    ghcr.io/myorg/myimage:v1.0.0
Verification: PASSED

Case Study: The SolarWinds Supply Chain Attack

The SolarWinds breach (discovered December 2020) represents the canonical supply chain attack against software build systems. Russian state actors (APT29) compromised SolarWinds' build infrastructure, injecting malicious code into the Orion software update process. The backdoored updates were properly signed with SolarWinds' legitimate code signing certificate—demonstrating that traditional signing is necessary but insufficient.

SUNBURST Attack Timeline
APT29 / Nobelium, 2019-2020
18,000+
Organizations Downloaded Backdoor
14
Months Undetected in Build System
100+
Organizations Actively Compromised

Attack Mechanism: The SUNSPOT implant monitored build processes for Orion compilation, replacing source files during build with backdoored versions. The malicious code was compiled into legitimately-signed binaries, bypassing all signature verification checks.

Prevention: SLSA Level 3+ requirements would have prevented this attack through: isolated build environments (no persistent access), non-falsifiable provenance linking binaries to source commits, and reproducible builds enabling independent verification that source produces expected output.

Software Bill of Materials (SBOM)

An SBOM provides a complete inventory of software components—direct dependencies, transitive dependencies, and their versions. When a vulnerability like Log4Shell (CVE-2021-44228) emerges, organizations with comprehensive SBOMs can immediately identify affected systems; those without face weeks of manual auditing.

Format Maintainer Primary Use Case Federal Acceptance
SPDX Linux Foundation License compliance, vulnerability tracking ISO/IEC 5962:2021
CycloneDX OWASP Security analysis, VEX integration ECMA-424
SWID ISO/IEC Software asset management ISO/IEC 19770-2

OMB M-22-18 requires federal agencies to obtain SBOMs for all software purchases. CycloneDX and SPDX are the recommended formats per NTIA minimum elements guidance.

Code Signing & Supply Chain Services

SLSA Implementation
Build system hardening to achieve SLSA Level 3. Provenance generation, attestation signing, and policy verification. GitHub Actions, GitLab CI, and Jenkins integration.
Sigstore Deployment
Private Sigstore instance deployment for air-gapped environments. Fulcio CA configuration, Rekor log operation, and Cosign integration with container registries.
SBOM Generation & VEX
Automated SBOM generation in SPDX and CycloneDX formats. Vulnerability Exploitability eXchange (VEX) document creation for vulnerability status communication.
Traditional Code Signing
HSM-backed code signing for Windows (Authenticode), macOS (codesign), and Java (jarsigner). Extended Validation certificate procurement and timestamping configuration.
Firmware Signing
Secure boot implementation for IoT and embedded systems. Firmware signing infrastructure, bootloader verification chains, and OTA update security.
Policy Enforcement
Kubernetes admission controllers for signature verification. Kyverno and OPA Gatekeeper policy development. Container image provenance enforcement in CI/CD.

Foundational Research & Standards

Software supply chain security has rapidly evolved following high-profile incidents.

USENIX Security 2019
in-toto: Providing farm-to-table guarantees for bits and bytes
Torres-Arias, Afzali, Kuppusamy, Cappos · NYU
NIST SP 800-218
Secure Software Development Framework (SSDF)
National Institute of Standards and Technology
ACM CCS 2020
Diplomat: Using Delegations to Protect Community Repositories
Kuppusamy, Diaz, Cappos · NYU
EO 14028
Executive Order on Improving the Nation's Cybersecurity
Executive Office of the President, May 2021
SLSA v1.0
Supply-chain Levels for Software Artifacts Specification
OpenSSF SLSA Working Group
USENIX Security 2016
Diplomat: Using Delegations to Protect Community Repositories
The Update Framework (TUF) · NYU

Request Supply Chain Security Assessment

Our engineers will evaluate your build systems and software delivery pipeline, providing a roadmap to SLSA compliance and federal procurement readiness.

Start a Conversation

Tell us about your security requirements. We respond within 24 hours.

Encrypted transmission