May 14, 2024

Written by William Woodruff (Trail of Bits), Hayden Blauzvern (Google)

Homebrew's Sigstore-powered provenance is in beta

Last November, Alpha-Omega and Trail of Bits announced a collaboration to bring build provenance to homebrew-core. Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now using Sigstore to cryptographically attest to all bottles built in the official Homebrew CI. This is aligned with Sigstore’s mission: to support frictionless and transparent provenance on all artifact registries. Homebrew’s build provenance follows last year’s npm provenance feature, making Homebrew the second major packaging ecosystem to adopt Sigstore!

Tags:  sigstoresecurityhomebrew

Mar 14, 2024

Written by Sigstore TSC

Sigstore Announcement: New TUF Trust Root and Client Compatibility

New TUF Trust Root We are planning to publish a new TUF trust root for Sigstore. This update does not contain any functional changes, but it does update to the latest version of the TUF specification. This means that older clients may not be able to load it properly. The current compatibility is as follows: Cosign Releases >= v2.2.0 (v2.2.0 released Aug 31st 2023) work. Older Cosign clients (< v2.2.0) will not work v1.

Tags:  sigstorecosigntuf

Mar 14, 2024

Written by Sigstore TSC & Community Chair

Sigstore - An OpenSSF Graduated Project

Sigstore Graduates: A Monumental Step Towards Secure Software Supply chain security took a giant leap forward this month as Sigstore officially became a graduated project within the Open Source Security Foundation (OpenSSF). This milestone is a testament to Sigstore’s maturity, adoption, and its undeniable impact on making the creation and distribution of software more trustworthy. What is Sigstore? For those unfamiliar, Sigstore is a suite of tools designed to streamline secure software signing & verification of artifacts such as binaries, containers and attestations.

Tags:  sigstoresecuresupplychain

Mar 1, 2024

Written by Luke Hinds (TSC Chair)

Sigstore February Roundup

Welcome to the February edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings. Events KubeCon Europe 2024 The next KubeCon Europe will be held on 19th – 22nd March. There are several Sigstore related talks and events planned for KubeCon Europe, including: Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo Navigating the Software Supply Chain Defense Landscape - Marina Moore & Aditya Sirish A Yelgundhalli, New York University Contribfest: Enable Additional Signing Mechanisms for TUF and in-toto: No Cryptography Skills Required Open Source Summit North America 2024 The next Open Source Summit North America will be held on April 16th – 18th

Tags:  sigstoresecuresupplychain

Jan 30, 2024

Written by Luke Hinds (TSC Chair)

Sigstore January Roundup

Welcome to the January edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings. Events KubeCon Europe 2024 The next KubeCon Europe will be held on 19th – 22nd March. There are serveral Sigstore related talks and events planned for KubeCon Europe, including: Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo Navigating the Software Supply Chain Defense Landscape - Marina Moore & Aditya Sirish A Yelgundhalli, New York University Contribfest: Enable Additional Signing Mechanisms for TUF and in-toto: No Cryptography Skills Required FOSDEM 2024 The next FOSDEM will be held in Brussels, Belgium on the 3rd & 4th February 2024 along with a talk on Sigstore and SLSA by John Viega.

Tags:  sigstoresecuresupplychain