Key points
- Microsoft’s Signing Transparency is a new service that provides an additional layer of security for software supply chains by creating a permanent, auditable record of who signed what and when.
- The service uses an immutable ledger to record software signing events, allowing organizations and auditors to independently verify the authenticity of software releases.
- Signing Transparency helps to prevent software supply chain threats by making it difficult for attackers to hide malicious signatures and providing a tamper-evident record of all signing events.
According to sources, Microsoft has announced the preview of Signing Transparency, a new service designed to enhance trust and security in software supply chains. This service is built on the Zero Trust principle of "never trust, always verify" and uses an append-only log to record each signature. The log is protected by confidential computing and uses strong cryptography to ensure its integrity.
The need for transparency in the software supply chain has become increasingly important as attackers have repeatedly exploited the trust in signed software to distribute malicious updates. Signing Transparency addresses this issue by providing a tamper-evident and publicly accessible ledger that records every signed artifact signature. This allows anyone to query and audit the ledger to confirm when and what was signed, and by whom.
Microsoft’s Signing Transparency service is a cloud-managed service that acts as an impartial notary for software signatures. It creates a permanent, auditable record of who signed what and when, providing independent verification that a given software release has not been secretly replaced or modified. The service uses policies to verify and record a reference signature in an immutable log, which is captured as a Merkle tree.
The service also utilizes COSE (CBOR Object Signing and Encryption) envelopes, which are compliant with the Draft IETF standard for Supply Chain Integrity, Transparency, and Trust (SCITT). This underlines Microsoft’s commitment to open standards in supply chain security.
In practice, when a developer or automated build system signs a piece of code, the signing service generates a COSE_Sign1 signature envelope, which is then sent to the Signing Transparency service. The service verifies the signature and the signer’s identity against its trust policy, then appends a countersignature to the COSE envelope.
Signing Transparency offers enterprises substantial security benefits, including tamper-evident releases, independent verification, audit trail and compliance, policy enforcement and accountability, and protection against key compromise and replay. By implementing this service, organizations can reduce the risk of software supply chain attacks and build customer confidence.
As software supply chain attacks continue to rise, organizations need proof of integrity and fast detection methods. Microsoft’s Signing Transparency service advances this by attaching a verifiable record to each signed artifact, promoting trust through transparency. For enterprises, adopting this technology enables direct verification of code, reduces risk, and deters tampering by keeping malicious actions on record. Those interested in learning more can join the preview community for a virtual chat by expressing interest on the Microsoft Azure Blog.
Read the rest: Source Link
You might also like: Why Choose Azure Managed Applications for Your Business & How to download Azure Data Studio.
Remember to like our facebook and our twitter @WindowsMode for a chance to win a free Surface every month.
Discover more from Windows Mode
Subscribe to get the latest posts sent to your email.
