can-gpg-secure-the-software-industry

 

digital lock unlocked

 

Code signing is important for proving the integrity and authenticity of software but can GPG secure the Software Industry?

Digital certificates issued by certificate authorities are generally used to perform this task, but as we know and mentioned in a few blogs, here and here, they have strong limitations, such as:

 

  • They can be stolen
  • They have coarse granularity
  • Identities can be faked with look-alike companies
  • The issuing process is long and time-consuming
  • Owners can’t track what’s been signed with them
  • They are extremely expensive, both to get and to maintain e.g. renewals, etc.

 

Several software publishers, especially in the open source community, have adopted GPG as the only alternative to digital certificates for signing application binaries. (See the recent decision by Notepad++ to give up on digital certificates in favour of GPG.)

 

The main advantages of GPG are its accessibility (you don’t need a CA to verify who you are in order to get a signing key) and the fact that it’s free.

The Holes in GPG

Is GPG the solution to secure the software industry? Unfortunately, the answer is no. Here’s why:

 

  • It’s too technical – Setting up GPG, whether on Mac, Linux or Windows, requires in-depth technical knowledge.
  • It’s too cumbersome – In order to verify someone’s code, you need to:
    1. Import his/her key to your key ring and sign it.
    2. Do numerous checks to confirm the key corresponds to the person who declared said key. (And by the way, you can’t rely on the Keyserver for that.)
    3. Import the code signature (if it’s been created and detached from the code).
    4. Check if the binary was actually signed by the person who is claiming to be the signer.
  • Its granularity is too coarse – Similar to digital certificates, GPG is also used only to sign releases for main products or repositories, though they are not for any and all types of software assets. Their sphere of authenticity is limiting.
  • It doesn’t fit in with current engineering best practices (CICD and DevOps) – GPG is generally used for signing developers’ code. Gits support GPG signatures for that reason. However, at the same time, because GPG verification requires multiple steps, you cannot streamline the verification process within a single, easy to use build script.
  • The Web of Trust is impractical – It’s a nice concept but it doesn’t work. (Check out this scathing post here by Filippo Valtora on the subject.)
  • Identities are not certified – Even well known Richard Stallman says in his personal blog here to not to trust the keys under his name on any keyserver.

GPG at the End of the Day

As I mentioned before, you need to triangulate information, which takes time and it’s still not 100% secure.

 

In the end, GPG does not really improve questionable situations any better than digital certificates do. The only advantage of GPG compared to digital certificates is that it’s free, but that’s only when you’re calculating the direct costs. If you count in the indirect costs of installing malicious code signed with GPG thinking it was secure, then the price goes up significantly.

 

Honestly, what are we to expect given that GPG, as well as digital certificates, were not made to sign code? Digital certificates were actually developed by Netscape to verify a domain and encrypt the information exchanged between clients and websites. Similarly, GPG was born to encrypt and sign email communication. Unfortunately for the rest of us, the industry just decided to put a square peg technology into a problematic round hole.

Solving the GPG Problem

To secure the software industry, a solution is needed that is designed specifically to address this problem. This is why vChain decided to develop CodeNotary, a one-step solution that guarantees your code is exactly how you left it.

 

CodeNotary’s blockchain-based application gives you the ability to maintain a high-level view of all your code from the main release level on down to the fine, granular level of components, scripts, and beyond. Not only is CodeNotary a proactive DevSecOps best practice, but the savings that mount from preventing scaled problems happening further down the production pipeline is one of those rare moments to breathe easy.

 

Sound too good to be true? Don’t take our word for it. Grab a free trial and check it out for yourself.

 

 

Sign Up Here

 

You can also learn more about how CodeNotary works here.

 

References

CNIL
Metrics and Logs

(formerly, Opvizor Performance Analyzer)

VMware vSphere & Cloud
PERFORMANCE MONITORING, LOG ANALYSIS, LICENSE COMPLIANCE!

Monitor and Analyze Performance and Log files:
Performance monitoring for your systems and applications with log analysis (tamperproof using immudb) and license compliance (RedHat, Oracle, SAP and more) in one virtual appliance!

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.