Codenotary announced it has added independent cryptographic validator nodes to its free and open source Community Attestation Service (CAS), providing another level of transparency, security and third-party verifiability of the data open-source projects notarize and authenticate using the service.
The AlmaLinux and Home Assistant projects are using the CAS independent validation to provide another layer of security on top of CAS’ code inventory and Software Bill of Materials (SBOM), helping to ensure no one has tampered with the data once it has been written.
“This independent validation service allows anyone, anywhere in the world to verify the integrity of the data that is stored in the CAS,” said Moshe Bar, co-founder and CEO of Codenotary. “It ensures that there is transparency and visibility into the backend of the service and that the notarization information stored is true and complete – so there is complete trust in the software being used. We encourage others to begin adding independent validators, as well.“
Backed by the open source immudb tamper-proof database, the CAS enables all open source software users the ability to generate a Software Bill of Materials that provides an inventory of its components.
The CAS traffic processes 1,200 transactions per second with a run-rate of about 1.2 million transactions per day. Millions of software assets (code, binaries, libraries, containers) have been notarized in the less than six months that the service has been available, presenting a major step forward in supply chain security posture for open source projects.
“CAS is a tremendous service to the open source community and at AlmaLinux we are deploying CAS as part of our build system,” said benny Vasquez, chair of the board of directors for AlmaLinux, the leading alternative to CentOS. “CAS, being totally free, is truly helping developers to secure the software they use, while enabling users to trust what they get.”
Home Assistant, provider of popular home automation software, uses the CAS to ensure the integrity of its software, as well as add-ons.
“Our content trust system uses CAS to enable both core and providers of third-party add-on extensions to Home Assistant to verify that the software delivered to our global community of users is secure, and what our users download and install is exactly the same as it was released by its creator and ensures nobody messed with it along the way. It helps to build a trustworthy IoT space,” said Pascal Vizeli, co-founder of Nabu Casa and core developer of Home Assistant.”
Anyone can secure the open source software they are using and generate SBOMs for free using Codenotary’s CAS.