The SolarWinds attackers were able to insert malicious code into Orion software by subverting the build environment, the process which a program is compiled and deployed. Sunspot Malware watched build servers for any commands and replaced source code with its own malicious instructions. The problem this posed to security teams was the fact that the Orion software was digitally signed with a valid certificate from SolarWinds, which made it seem trustworthy. There was no way for organizations that used the Orion software to know that SolarWinds itself had been compromised.
Enter the Reproducible Builds concept, a program working to find a solution to supply chain style attacks such as the recent SolarWinds events. “This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users.” Current methods of signing software prove to be either overly complicated slowing production or plain insecure as some of these public key digests exist as a Readme file or on websites with actively exploited vulnerabilities. So with that, the Linux Foundation partnered with Red Hat and Google have released the Sigstore Project. Users can generate ephemeral short-lived cryptographic key pairs while the Sigstore PKI service provides a signing certificate upon an immutable transparency log using an OpenID connection grant.