6 Reasons Why You Should Verify, Not Just Trust, Your Software Supply Chain

In a world where software vulnerabilities can ripple through entire ecosystems at lightning speed, the age-old practice of blindly trusting well-known components is no longer a viable security strategy. In March 2026, Daniel Stenberg, the creator and lead developer of the ubiquitous curl library, published a compelling blog post arguing that organizations and individuals must shift from a trust-based model to one grounded in active verification. Using curl's own rigorous practices as a case study, Stenberg outlines a concrete path forward for the industry. This article distills the core takeaways from his call to action into six actionable insights for anyone involved in software development or consumption.

1. The Default of Trust is No Longer Safe

For years, the software industry operated on an implicit assumption that widely used open source projects like curl, OpenSSL, or Linux kernel components are inherently trustworthy. Stenberg challenges this notion outright, pointing out that popularity does not equal security. Modern supply chain attacks—such as those that inject malicious code into trusted repositories or compromise maintainer accounts—have proven that no component is immune. The default position of trust is a dangerous gamble. Instead, Stenberg urges every organization to adopt a mindset of "trust but verify"—or better yet, "verify first, trust later." This means treating every piece of software, from a minor library to a major framework, as potentially suspicious until its integrity is confirmed through independent checks. The cost of a single breach can dwarf the effort required to implement proper verification processes.

6 Reasons Why You Should Verify, Not Just Trust, Your Software Supply Chain — Source: www.infoq.com

2. Curl's Example: How Verification Works in Practice

Stenberg uses curl as a living demonstration of what verification can look like. The curl project doesn't just release tarballs and source code; it provides reproducible builds, cryptographically signed releases, and detailed checksums. Every official release is signed with a GPG key that has a well-established web of trust, and the build process is designed to be repeatable by third parties. This means that anyone can download the source, compile it themselves, and compare the hash to the official one—ensuring that what they're using matches exactly what the maintainers intended. Stenberg emphasizes that these practices are not burdensome; they've been part of curl's workflow for years. The takeaway is that verification doesn't require huge resources—just a commitment to transparency and a few extra steps in the release pipeline.

3. The Role of Code Signing and Checksums

One of the most straightforward ways to verify software is through cryptographic signatures and checksums. Stenberg highlights that these tools are already widely available but underutilized. A checksum (like SHA-256) verifies that a downloaded file hasn't been corrupted or tampered with during transit, while a GPG signature confirms the file's authenticity and provenance. Unfortunately, many organizations skip these steps, often because they lack the infrastructure or assume someone else is doing the checking. Stenberg argues that this is a critical gap. He advises users to always verify signatures against the maintainer's public key, which should be obtained from a trusted source (like the project's official website or key servers). Moreover, projects should make their signing keys widely known and regularly updated to avoid key compromise attacks.

4. Automating Verification with CI/CD Pipelines

Manual verification is a good start, but for enterprise-scale operations, automation is key. Stenberg suggests integrating verification steps directly into continuous integration and continuous delivery (CI/CD) pipelines. Tools like curl's own build scripts can be adapted to automatically fetch, verify, and build dependencies before deployment. This ensures that every component entering the supply chain is checked without relying on human memory or diligence. For example, a pipeline could be configured to download the latest version of a library, verify its GPG signature using a stored public key, compute its hash, and then build the application only if both checks pass. By baking verification into the automation layer, organizations can maintain security without slowing down development velocity.

5. Community Collaboration for Transparency

No single organization can verify every piece of software on its own. Stenberg points out that the open source community itself is the best resource for building a collective verification infrastructure. Projects like curl already publish reproducible build instructions and encourage users to report discrepancies. Stenberg advocates for broader adoption of such practices, including shared repositories of software artifacts with verified provenance, common signing standards, and public dashboards showing build reproducibility rates. He also calls for more transparency around maintainer identities and key management. When users can easily see who signed a release and how that key is protected, trust becomes a verifiable property rather than an article of faith. The community can also spot anomalies—like an unexpected signature change—which can be early signs of a compromise.

6. The Future of Software Supply Chain Security

Stenberg's blog post is both a wake-up call and a roadmap. He envisions a future where verification is not an afterthought but a standard part of every software lifecycle. Initiatives like software bills of materials (SBOMs) and signed attestations are gaining traction, but they need to be paired with actual verification mechanisms. Stenberg challenges the industry to move beyond checklists and mandates toward a culture where developers and users demand proof. The curl project's example shows that it's feasible even for small teams. As supply chain attacks grow more sophisticated, the only sustainable defense is a shift from trust to verification. Every organization, regardless of size, can start today by adopting the practices curl has used for years—because in the end, security is not about who you trust, but what you can verify.

In conclusion, Daniel Stenberg's call to verify rather than blindly trust software components is more than a technical recommendation—it's a fundamental shift in how we approach security. By following the six principles outlined here—abandoning default trust, learning from curl's example, using cryptographic tools, automating verification, collaborating with the community, and building for the future—you can significantly reduce your exposure to supply chain attacks. The tools are already available, and the knowledge is shared. The only missing piece is the will to change. Start verifying today.

Tags: