View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
October 5, 2023

Linux Foundation publishes new OpenPubkey passwordless protocol

Applications, code commits and software supply chains can be automatically signed using OpenID Connect.

By Ryan Morrison

A new passwordless security protocol has been launched by the Linux Foundation and tech vendors BastionZero and Docker to secure open source software ecosystems. Dubbed OpenPubkey, it allows users to securely and accurately bind cryptographic keys to other users and workloads and remove the need to remember passwords.

Developers will be able to automatically sign applications and code commits using OpenID Connect (Photo: Tero Vesalainen/Shutterstock)
Developers will be able to automatically sign applications and code commits using OpenID Connect. (Photo by Tero Vesalainen/Shutterstock)

There has been a drive across the technology sector to move away from passwords as a mechanism to combat phishing and data breaches. Google, Apple and Microsoft are moving to passkey solutions that use biometrics to access an account and others like IBM are pushing for the change in enterprise settings.

OpenPubkey is being integrated into Docker container signing by BastionZero, which will allow for passwordless authentication of open source software. The new protocol was developed by BastionZero as part of its secure infrastructure access product.

The protocol works by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA). This allows cryptographic keys to be binded to workloads and users. BastionZero says the integration will allow them to enhance software supply chain security.

OpenID Connect is an open authentication protocol that is built on the OAuth 2.0 framework and allows users to single sign on via third-party providers. This allows a user to access multiple platforms, such as newspapers or tools, but only provide personal information once. 

How OpenPubkey can be used by tech teams

Developers will be able to build out the software supply chain and security applications, and enable workloads and users to sign artefacts using an OpenID identity. The new protocol allows these OpenID keys to be linked to an application or workload. For example, they could be used to enable secure remote access or signed builds and deployments.

“The Linux Foundation is proud to host the OpenPubkey Project,” said Jim Zemlin, executive director of the Linux Foundation. “We believe this initiative will play a pivotal role in strengthening the security of the open source software community [and] we encourage developers and organisations to join this collaborative effort in enhancing software supply chain security.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Another example of how the system can be used is to have all code commits within a project signed automatically using the OpenID set-up. Ethan Heilman, CTO of BastionZero, said OpenPubkey being a stand-alone protocol makes it easier and more secure to use digital signatures. 

He added that integrating it into Docker was a good way to bring it to the world. “We are excited to partner with Docker to offer its community of software developers and open source contributors a simple and convenient way for users, service accounts, machines, or workloads to create digital signatures using their identity,” Heilman said.

Read more: Will Google passkeys kill off the password?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.