The Linux Foundation Projects
Skip to main content

Alpha-Omega Grant To Help Homebrew Reach SLSA Build Level 2

Alpha-Omega is pleased to announce a grant to the Homebrew project to enable Sigstore attestations and verification of Homebrew packages. When complete the project will allow organizations to securely verify the provenance of the toolchains on their workstations and in their build environments. This is a critical part of securing every software supply chain. 

Alpha-Omega is an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. “Alpha-Omega is turning money into security,” said Michael Scovetta, Principal Security PM Manager at Microsoft. “With over $5M granted so far, Alpha-Omega has catalyzed security improvements across the open source ecosystem.”

Homebrew is the predominant package manager for macOS, with millions of daily users and hundreds of active contributors. Homebrew is also widely used on Linux and preinstalled on GitHub Actions’ hosted runners. Homebrew successfully delivers over 500 million binary builds of open-source packages to users each year.

The goal of this project is to make the signing and verification of Homebrew packages (called bottles) boring and easy. “Package managers like Homebrew are the app stores of software development and have become critical points of leverage in securing our software supply chains”, said Michael Winser, Technical Strategist at Alpha-Omega. Although Homebrew already signs commits with GPG, this doesn’t go far enough, as there’s no way for the Homebrew client or users to detect compromised bottles. 

This is where Sigstore and SLSA come in. Sigstore makes the hard problems of key and identity management and verification much easier for producers and consumers alike. SLSA is a specification for describing and incrementally improving supply chain security. With this project, every single bottle provided by homebrew-core will be digitally signed in a manner that proves that it was built on Homebrew’s trusted CI/CD. In other words, SLSA Build Level 2.

This work will be done as open source in the Homebrew project by Trail of Bits in collaboration with the Homebrew community. We encourage you to read their post that goes into more technical detail about the challenges of signing, what SLSA Build Level 2 entails, and how Sigstore makes it practical. 

Alpha-Omega grants are driving high-leverage improvements in security across the open source ecosystem. We’re always interested in new projects and opportunities where we can help. You can learn more on our grants page or by attending one of our monthly public meetings.

Other posts to check out

Alpha-Omega Announces First Four Grants for Open Source Security of 2024 and Our 2024 OKRs

| Blog | No Comments
We just published our 2023 annual report and 2024 is off to a great start. In this post we’ll cover our first four grants of 2024, totaling over $750,000 and…

Alpha-Omega 2023 Annual Report

| Blog | No Comments
In 2023, Alpha-Omega provided ten grants to eight organizations totaling over $2.8 million dollars, with an average grant size of just over $350,000. In partnership with OpenSSF, Alpha-Omega's mission is…

Finding And Fixing Bugs in Open Source Software at Scale with a Grant from Alpha-Omega

| Blog | No Comments
By Munawar Hafiz and Ataf Fazledin Ahamed, OpenRefactory In February of 2023, a group of volunteers inside OpenSSF's Identifying Security Threats working group organized a virtual mini-summit for maintainers of…

Alpha-Omega to Continue Support of Rust Foundation Security Initiative in 2024

| Blog | No Comments
OpenSSF’s Alpha-Omega Project is issuing a second year of funding for the Rust Foundation’s Security Initiative.