GitHub is advancing in addressing supply chain attacks, where malware is injected into popular software to propagate. The feature designed by GitHub to tackle this is called Artifact Attestations.
Based on the Sigstore project by the Linux Foundation, Artifact Attestations involve signing files each time a new version is released. These digital signatures are then stored in a publicly accessible log for retrospective verification, ensuring the authenticity of files from the original developers.
Applying Sigstore designed for open-source projects, Artifact Attestations can now be utilized with private repositories on GitHub. The separate log databases allow for the same retrospective verification, reducing the complexity of managing PKI keys through various tools.
This feature is now available on GitHub CLI, where users need to configure a YAML file for GitHub Actions to utilize Attestations.
Source: GitHub Blog
TLDR: GitHub introduces Artifact Attestations to combat supply chain attacks by leveraging the Sigstore project for file signing and verification in repositories, enhancing security and simplifying key management.
Leave a Comment