Related papers: Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors

Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors

URL: http://arxiv.org/abs/2401.14635v2
Date: Sun, 14 Apr 2024 21:10:25 GMT
Title: Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors
Authors: Taylor R Schorlemmer, Kelechi G Kalu, Luke Chigges, Kyung Myung Ko, Eman Abu Isghair, Saurabh Baghi, Santiago Torres-Arias, James C Davis,
Abstract summary: Package maintainers can guarantee package authorship through software signing. It is unclear how common this practice is, and whether the resulting signatures are created properly.
Score: 4.944550691418216
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Many software applications incorporate open-source third-party packages distributed by public package registries. Guaranteeing authorship along this supply chain is a challenge. Package maintainers can guarantee package authorship through software signing. However, it is unclear how common this practice is, and whether the resulting signatures are created properly. Prior work has provided raw data on registry signing practices, but only measured single platforms, did not consider quality, did not consider time, and did not assess factors that may influence signing. We do not have up-to-date measurements of signing practices nor do we know the quality of existing signatures. Furthermore, we lack a comprehensive understanding of factors that influence signing adoption. This study addresses this gap. We provide measurements across three kinds of package registries: traditional software (Maven, PyPI), container images (DockerHub), and machine learning models (Hugging Face). For each registry, we describe the nature of the signed artifacts as well as the current quantity and quality of signatures. Then, we examine longitudinal trends in signing practices. Finally, we use a quasi-experiment to estimate the effect that various factors had on software signing practices. To summarize our findings: (1) mandating signature adoption improves the quantity of signatures; (2) providing dedicated tooling improves the quality of signing; (3) getting started is the hard part -- once a maintainer begins to sign, they tend to continue doing so; and (4) although many supply chain attacks are mitigable via signing, signing adoption is primarily affected by registry policy rather than by public knowledge of attacks, new engineering standards, etc. These findings highlight the importance of software package registry managers and signing infrastructure.

Related papers

Why Johnny Signs with Next-Generation Tools: A Usability Case Study of Sigstore [5.433194344896805]
Software signing is the most robust method for ensuring the integrity and authenticity of components in a software supply chain.<n>Traditional signing tools place key management and signer identification burdens on practitioners, leading to both security vulnerabilities and usability challenges.<n>Next-generation signing tools such as Sigstore have automated some of these concerns, but little is known about their usability and adoption dynamics.
arXiv Detail & Related papers (2025-03-01T00:59:18Z)
Quantum digital signature based on single-qubit without a trusted third-party [45.41082277680607]
We propose a brand new quantum digital signature protocol without a trusted third party only with qubit technology to further improve the security. We prove that the protocol has information-theoretical unforgeability. Moreover, it satisfies other important secure properties, including asymmetry, undeniability, and expandability.
arXiv Detail & Related papers (2024-10-17T09:49:29Z)
A new approach to delegate signing rights to proxy signers using isogeny-based cryptography [5.662132994900804]
We propose the first post-quantum isogeny based proxy signature scheme CSI-PS (commutative supersingular isogeny proxy signature) Our construction is proven to be uf-cma secure under the hardness of the group action inverse problem (IPGA) based on isogeny.
arXiv Detail & Related papers (2024-07-18T09:19:19Z)
An Industry Interview Study of Software Signing for Supply Chain Security [5.433194344896805]
Many cybersecurity frameworks, standards, and regulations recommend the use of software signing. Recent surveys have found that the adoption rate and quality of software signatures are low. We interviewed 18 high-ranking industry practitioners across 13 organizations.
arXiv Detail & Related papers (2024-06-12T13:30:53Z)
Investigating the Common Authorship of Signatures by Off-Line Automatic Signature Verification Without the Use of Reference Signatures [3.3498759480099856]
This paper addresses the problem of automatic signature verification when no reference signatures are available. The scenario we explore consists of a set of signatures, which could be signed by the same author or by multiple signers. We discuss three methods which estimate automatically the common authorship of a set of off-line signatures.
arXiv Detail & Related papers (2024-05-23T10:30:48Z)
Revocable Quantum Digital Signatures [57.25067425963082]
We define and construct digital signatures with revocable signing keys from the LWE assumption. In this primitive, the signing key is a quantum state which enables a user to sign many messages. Once the key is successfully revoked, we require that the initial recipient of the key loses the ability to sign.
arXiv Detail & Related papers (2023-12-21T04:10:07Z)
FedSOV: Federated Model Secure Ownership Verification with Unforgeable Signature [60.99054146321459]
Federated learning allows multiple parties to collaborate in learning a global model without revealing private data. We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
arXiv Detail & Related papers (2023-05-10T12:10:02Z)
SignBERT+: Hand-model-aware Self-supervised Pre-training for Sign Language Understanding [132.78015553111234]
Hand gesture serves as a crucial role during the expression of sign language. Current deep learning based methods for sign language understanding (SLU) are prone to over-fitting due to insufficient sign data resource. We propose the first self-supervised pre-trainable SignBERT+ framework with model-aware hand prior incorporated.
arXiv Detail & Related papers (2023-05-08T17:16:38Z)
Secure access system using signature verification over tablet PC [62.21072852729544]
We describe a highly versatile and scalable prototype for Web-based secure access using signature verification. The proposed architecture can be easily extended to work with different kinds of sensors and large-scale databases.
arXiv Detail & Related papers (2023-01-11T11:05:47Z)
Don't Forget to Sign the Gradients! [60.98885980669777]
GradSigns is a novel watermarking framework for deep neural networks (DNNs) We present GradSigns, a novel watermarking framework for deep neural networks (DNNs)
arXiv Detail & Related papers (2021-03-05T14:24:32Z)
FCN+RL: A Fully Convolutional Network followed by Refinement Layers to Offline Handwritten Signature Segmentation [3.3144312096837325]
We propose an approach to locate and extract the pixels of handwritten signatures on identification documents. The technique is based on a fully convolutional encoder-decoder network combined with a block of refinement layers for the alpha channel of the predicted image.
arXiv Detail & Related papers (2020-05-28T18:47:10Z)
Offline Signature Verification on Real-World Documents [9.271640666465363]
Signatures extracted from formal documents may contain different types of occlusions, for example, stamps, company seals, ruling lines, and signature boxes. In this paper, we address a real-world writer independent offline signature verification problem, in which, a bank's customers' transaction request documents that contain their occluded signatures are compared with their clean reference signatures. Our proposed method consists of two main components, a stamp cleaning method based on CycleGAN and signature representation based on CNNs.
arXiv Detail & Related papers (2020-04-25T10:28:03Z)

This list is automatically generated from the titles and abstracts of the papers in this site.