Independent validation by large open source projects further strengthens Community Attestation Service
HOUSTON–(BUSINESS WIRE)–#SBOM—Codenotary, leaders in software supply chain security, today announced it has added independent cryptographic validator nodes to its free and open source Community Attestation Service (CAS), providing another level of transparency, security and third-party verifiability of the data open-source projects notarize and authenticate using the service.
The AlmaLinux and Home Assistant projects are using the CAS independent validation to provide another layer of security on top of CAS’ code inventory and Software Bill of Materials (SBOM), helping to ensure no one has tampered with the data once it has been written. Here is the AlmaLinux validator and Home Assistant’s is here. Each instance is fully independent of the other.
“This independent validation service allows anyone, anywhere in the world to verify the integrity of the data that is stored in the CAS,” said Moshe Bar, co-founder and CEO of Codenotary. “It ensures that there is transparency and visibility into the backend of the service and that the notarization information stored is true and complete – so there is complete trust in the software being used. We encourage others to begin adding independent validators, as well.“
Backed by the open source immudb tamper-proof database, the CAS enables all open source software users the ability to generate a Software Bill of Materials that provides an inventory of its components.
The CAS traffic processes 1,200 transactions per second with a run-rate of about 1.2 million transactions per day. Millions of software assets (code, binaries, libraries, containers) have been notarized in the less than six months that the service has been available, presenting a major step forward in supply chain security posture for open source projects.
“CAS is a tremendous service to the open source community and at AlmaLinux we are deploying CAS as part of our build system,” said benny Vasquez, chair of the board of directors for AlmaLinux, the leading alternative to CentOS. “CAS, being totally free, is truly helping developers to secure the software they use, while enabling users to trust what they get.”
Home Assistant, provider of popular home automation software, uses the CAS to ensure the integrity of its software, as well as add-ons.
“Our content trust system uses CAS to enable both core and providers of third-party add-on extensions to Home Assistant to verify that the software delivered to our global community of users is secure, and what our users download and install is exactly the same as it was released by its creator and ensures nobody messed with it along the way. It helps to build a trustworthy IoT space,” said Pascal Vizeli, co-founder of Nabu Casa and core developer of Home Assistant.”
Anyone can secure the open source software they are using and generate SBOMs for free using Codenotary’s CAS.
Codenotary brings easy to use trust and integrity into the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. Codenotary can be set up in minutes and can be fully integrated with modern CI/CD platforms. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second. With the Codenotary tamper-proof bill of materials, users can instantly identify untrusted components in their software builds. For more information, go to https://www.codenotary.com.
Joe Eckert for Codenotary