Establishing Provenance Before Coding: Traditional and Next-Gen Software   Signing

Taylor R. Schorlemmer; Ethan H. Burmane; Kelechi G. Kalu; Santiago; Torres-Arias; James C. Davis

arXiv:2407.03949·cs.CR·January 31, 2025

Establishing Provenance Before Coding: Traditional and Next-Gen Software Signing

Taylor R. Schorlemmer, Ethan H. Burmane, Kelechi G. Kalu, Santiago, Torres-Arias, James C. Davis

PDF

Open Access

TL;DR

This paper discusses methods for verifying the origin of third-party software components using cryptographic signatures, highlighting traditional approaches, their challenges, and advancements in next-generation signing platforms to enhance software supply chain security.

Contribution

It introduces the evolution from traditional to next-generation signing platforms for software provenance verification, addressing existing challenges.

Findings

01

Traditional signing faces key management challenges.

02

Next-generation signing platforms improve security and usability.

03

Enhanced provenance verification reduces supply chain vulnerabilities.

Abstract

Software engineers integrate third-party components into their applications. The resulting software supply chain is vulnerable. To reduce the attack surface, we can verify the origin of components (provenance) before adding them. Cryptographic signatures enable this. This article describes traditional signing, its challenges, and the changes introduced by next-generation signing platforms.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsScientific Computing and Data Management · Semantic Web and Ontologies · Research Data Management Practices