OpenPubkey is an open-source cryptographic protocol that hopes to strengthen security in the open source ecosystem.
It makes use of the authentication framework OpenID Connect, enabling users to sign artifacts using their OpenID identity. This enables the use of supply chain security features like signed builds, deployments, and code commits.
It was developed at BastionZero, and is now being maintained by the Linux Foundation. By bringing it under the umbrella of the Linux Foundation, the project maintainers hope it can foster more collaboration and expand the reach of the project.
“The Linux Foundation is proud to host the OpenPubkey Project,” said Jim Zemlin, Executive Director of the Linux Foundation. “We believe this initiative will play a pivotal role in strengthening the security of the open source software community. We encourage developers and organizations to join this collaborative effort in enhancing software supply chain security.”
Docker also recently announced that it now supports OpenPubkey for signing its containers.
“We introduced OpenPubkey as its own standalone protocol to make it easy and secure to use digital signatures with OpenID Connect,” said Ethan Heilman, co-founder and CTO of BastionZero. “We are excited to partner with Docker to offer its community of software developers and open source contributors a simple and convenient way for users, service accounts, machines, or workloads to create digital signatures using their identity.”