Nov 21, 2024

Written by Linus Sun (Google)

Using rekor-monitor to Scan Your Transparency Logs

Overview As part of the tool suite within Sigstore that focuses on providing transparency in the software supply chain, Rekor, Sigstore’s signature transparency log, and Fulcio’s certificate transparency log provides discoverability and auditability for signed artifact metadata and code-signing certificates. These immutable read-only logs help secure the software supply chain by making it easier to show what actions have been performed by a compromised identity. A variety of different improvements have recently been integrated into rekor-monitor to make it easier to use.

Tags:  sigstorerekor-monitorsecurityrekor

Nov 14, 2024

Written by William Woodruff (Trail of Bits), Dustin Ingram (Google), Hayden Blauzvern (Google)

PyPI's Sigstore-powered attestations are now generally available

Check out the PyPI blog and Trail of Bits blog for more user-facing and technical details, respectively! Over the past year, the Google Open Source Security Team and Trail of Bits have worked together to implement PEP 740, a Python packaging standard that allows users to upload Sigstore-based attestations to the Python Package Index. Today we’re pleased to announce that attestation support on PyPI is generally available, meaning that project maintainers can submit attestations for both PyPI and downstream users to verify.

Tags:  sigstoresecuritypypipython

Sep 5, 2024

Written by Javan Lacerda (@javanlacerda)

Fulcio Streamlines Onboarding for CI Identity Providers

TL;DR Fulcio, the Sigstore certificate authority, has introduced a new feature that simplifies the onboarding process for identity providers, mainly for continuous integration. This enhancement eliminates the need for complex, provider-specific logic implementations. Traditionally, integrating a new identity provider for CI involved significant development effort, which required understanding the codebase and cutting a new release. However, with this update, onboarding is reduced to configuring a YAML file which houses essential provider information for building certificate extensions based on ID token claims.

Tags:  sigstorefulcioidentity

Aug 28, 2024

Written by Appu Goundan (@loosebazooka)

Announcing sigstore-java 1.0

sigstore-java The sigstore-java project brings the Sigstore signing and verification paradigm to the Java ecosystem. It is built natively in Java and is easy to integrate with your Maven and Gradle builds or custom workflows. 1.0 Stable Release Today, thanks to the support of the community and work of our contributors, we’re excited to announce a 1.0 stable release of the sigstore-java client. This includes a library(dev.sigstore:sigstore-java) for programmatic access to the sigstore signing and verification APIs.

Tags:  sigstorejavaclients

Aug 27, 2024

Written by Zach Steindler (GitHub)

cosign Verification of npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance

One of the features of the cosign v2.4.0 release allows you to verify attestations in the bundle format used by npm provenance, GitHub Artifact Attestations, and Homebrew provenance. This is part of all Sigstore clients supporting the bundle format as outlined in the community roadmap. We’ll show how to perform that verification for each ecosystem, and explain some of the details involved. You’ll notice these examples follow the same general pattern of getting an artifact to verify, getting the bundle that contains the signed attestation about that artifact, and then providing a verification policy to cosign via command line flags.

Tags:  sigstorecosignsoftwaresupplychainsecurity