GitHub moves to protect open-source software from supply chain attacks

10 Aug 2022

Image: © prima91/

GitHub plans to use the code-signing platform Sigstore to protect its open-source registry, which was impacted by a cyberattack earlier this year.

Microsoft-owned GitHub is proposing a new strategy to boost the security of open-source projects following recent supply chain attacks.

GitHub shared plans at a White House summit in January to up its game in the open-source software security space. It came after security vulnerabilities such as the Log4Shell flaw raised concerns.

Now, the code repository plans to use code signing for its npm software packages using the platform Sigstore. This is a collaborative project from the Linux Foundation and the Open Source Security Foundation that aims to improve software supply chain integrity and verification.

Code signing is a digital signature added to software, which aims to show users that the code has not been tampered with since it was verified. GitHub said this helps links packages with its source repository, giving security confidence to consumers.

GitHub director of product management Justin Hutchings said the process would help generate “attestations about where, when and how the package was authored”. He added that Sigstore is easier to use and more secure than past methods as it doesn’t require developers to manage “long-lived cryptographic keys”.

“Securing the software supply chain is one of the biggest security challenges our industry faces right now.” Hutchings said in a blogpost. “This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community.”

GitHub has announced a number of changes in recent months to improve the security of npm, adding two-factor authentication, streamlined login and the “enhanced signing of artefacts” to protect its open-source ecosystem.

But in April, GitHub said an attacker abused stolen OAuth user tokens to download data from dozens of organisations on its site, including its npm registry.

Tzachi Zorenshtain, head of software supply chain at open-source firm Checkmarx, said code signing is a “great move” to close the gap that an attacker could use to abuse the open-source ecosystem.

“We know that attackers will continue to explore the weakest link in the chain, and it’s vitally important to raise the bar and respond to their attacks as quickly as possible,” Zorenshtain said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic