Fulcio Streamlines Onboarding for CI Identity Providers

TL;DR Fulcio, the Sigstore certificate authority, has introduced a new feature that simplifies the onboarding process for identity providers, mainly for continuous integration. This enhancement eliminates the need for complex, provider-specific logic implementations. Traditionally, integrating a new identity provider for CI involved significant development effort, which required understanding the codebase and cutting a new release. However, with this update, onboarding is reduced to configuring a YAML file which houses essential provider information for building certificate extensions based on ID token claims.

Announcing sigstore-java 1.0

sigstore-java The sigstore-java project brings the Sigstore signing and verification paradigm to the Java ecosystem. It is built natively in Java and is easy to integrate with your Maven and Gradle builds or custom workflows. 1.0 Stable Release Today, thanks to the support of the community and work of our contributors, we’re excited to announce a 1.0 stable release of the sigstore-java client. This includes a library(dev.sigstore:sigstore-java) for programmatic access to the sigstore signing and verification APIs.

cosign Verification of npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance

One of the features of the cosign v2.4.0 release allows you to verify attestations in the bundle format used by npm provenance, GitHub Artifact Attestations, and Homebrew provenance. This is part of all Sigstore clients supporting the bundle format as outlined in the community roadmap. We’ll show how to perform that verification for each ecosystem, and explain some of the details involved. You’ll notice these examples follow the same general pattern of getting an artifact to verify, getting the bundle that contains the signed attestation about that artifact, and then providing a verification policy to cosign via command line flags.

Announcing SigstoreCon: Supply Chain Day

Announcing SigstoreCon: Supply Chain Day! Join us for SigstoreCon: Supply Chain Day! Co-located with Kubecon NA 2024 in Salt Lake City, attendees will learn about simplifying signing and verification for digital artifacts using Sigstore, as well as related software supply chain efforts such as SLSA, The Update Framework, binary transparency, and more! CFP deadline is September 13. Learn more and register for SigstoreCon here! Topics for Talks We are inviting submissions for Session Presentations (30 min) and Lightning Talks (10 min).

sigstore-go verification and signing now in beta

sigstore-go verification and signing now in beta Recent sigstore-go releases include signing support, as well moving both the verification and signing API from unstable to beta. sigstore-go is used in several open source projects like the SLSA verifier, the GitHub CLI, and Stacklok Minder. Cosign and sigstore-go are similar in that they are both written in Go, but the main differences are that sigstore-go is not a full-fledged CLI, and that it supports the protobuf bundle format.