OSS Provenance and Code Signing

Explore the critical challenges of open source software provenance and code signing in this 42-minute webinar from the Eclipse Foundation's CRA Mondays series. Discover how most OSS projects ship unverified and unsigned releases, breaking the trust model of Linus's Law and creating major security vulnerabilities, as demonstrated by incidents like the 2024 XZ Utils supply chain attack. Learn about SignPath Foundation's approach to providing free and secure code signing for 250 OSS projects, going beyond traditional key security to guarantee release safety. Examine project eligibility criteria, build requirements including hosted development and branch protection, and SLSA-style controls that ensure secure distribution. Analyze real-world examples from GitHub releases to signing requests, understand nested signing challenges for MSIs, EXEs, JARs and runtime components, and explore the certificate and CA model used with GlobalSign. Gain insights into future developments including dependencies, attestations, and implications of the Cyber Resilience Act (CRA), followed by a comprehensive Q&A session covering attestations, interoperability, and working group initiatives for improving OSS security infrastructure.

Syllabus

0:00:00 – Welcome to CRA Mondays & Session Overview
0:04:39 – The Problem: Secure Distribution & Code Signing for OSS
0:09:08 – Project Eligibility: Admission Criteria for Signpath Foundation
0:13:16 – Build Requirements: Hosted Development, Branch Protection & SLSA-Style Controls
0:15:12 – Example Project: From GitHub Release to Signing Request
0:17:39 – The XZ Utils Supply Chain Attack Case Study
0:20:25 – Nested Signing: MSIs, EXEs, JARs & Runtime Components
0:24:12 – Code Signing Challenges & Signpath’s Certificate / CA Model GlobalSign
0:30:19 – Looking Ahead: Dependencies, Attestations & CRA Implications
0:34:43 – Q&A: Attestations, Interoperability & Working Group Next Steps