Alpha-Omega is pleased to announce a grant to the Homebrew project to enable Sigstore attestations and verification of Homebrew packages. When complete the project will allow organizations to securely verify the provenance of the toolchains on their workstations and in their build environments. This is a critical part of securing every software supply chain.
Alpha-Omega is an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. “Alpha-Omega is turning money into security,” said Michael Scovetta, Principal Security PM Manager at Microsoft. “With over $5M granted so far, Alpha-Omega has catalyzed security improvements across the open source ecosystem.”
Homebrew is the predominant package manager for macOS, with millions of daily users and hundreds of active contributors. Homebrew is also widely used on Linux and preinstalled on GitHub Actions’ hosted runners. Homebrew successfully delivers over 500 million binary builds of open-source packages to users each year.
The goal of this project is to make the signing and verification of Homebrew packages (called bottles) boring and easy. “Package managers like Homebrew are the app stores of software development and have become critical points of leverage in securing our software supply chains”, said Michael Winser, Technical Strategist at Alpha-Omega. Although Homebrew already signs commits with GPG, this doesn’t go far enough, as there’s no way for the Homebrew client or users to detect compromised bottles.
This is where Sigstore and SLSA come in. Sigstore makes the hard problems of key and identity management and verification much easier for producers and consumers alike. SLSA is a specification for describing and incrementally improving supply chain security. With this project, every single bottle provided by homebrew-core will be digitally signed in a manner that proves that it was built on Homebrew’s trusted CI/CD. In other words, SLSA Build Level 2.
This work will be done as open source in the Homebrew project by Trail of Bits in collaboration with the Homebrew community. We encourage you to read their post that goes into more technical detail about the challenges of signing, what SLSA Build Level 2 entails, and how Sigstore makes it practical.
Alpha-Omega grants are driving high-leverage improvements in security across the open source ecosystem. We’re always interested in new projects and opportunities where we can help. You can learn more on our grants page or by attending one of our monthly public meetings.