Announcing the Sigstore Clients Special Interest Group (sig-clients)

We are delighted to announce the creation of the Clients Special Interest Group (sig-clients) for the Sigstore project. This exciting new initiative marks the first SIG for Sigstore and serves as an experiment in organizing efforts across the Sigstore project. The sig-clients repository is your one-stop shop for all things related to Sigstore clients across various languages and ecosystems. This group has the following mission: Make Sigstore clients across languages/ecosystems easy-to-write, compatible, and secure by providing shared designs/documentation, data formats, and test suites.

Bringing Privacy and Security Full Circle Through Automated Authentication

This is a Sigstore case study contributed by Max Furman of Smallstep No matter how well you think you secure your software supply chain, the possibility of a breach is always in the back of your mind. We recently had a moment of panic where we thought, “Did someone get access to some things we stored in secrets?” I wondered what damage they’d done and how quickly we could repair it.

Sigstore Support in NPM launches for Public Beta

We’re thrilled to announce that the npm project has launched a public beta, bundling Sigstore support directly into the npm Command-Line Interface (CLI). This innovation brings strong origin guarantees to the npm ecosystem and marks the first time that a large package registry technology is using public software signatures to attest to a package’s originating source code and build instructions. Sigstore is an OpenSSF project that enables developers to validate that the software they are using is exactly what it claims to be using cryptographic digital signatures and transparency log technologies.

Cosign 2.0 Released!

Cosign 2.0 has arrived! Cosign 2.0 follows Sigstore’s General Availability launch, which offers production grade stable services for artifact signing and verification. Cosign’s most significant change is to no longer require COSIGN_EXPERIMENTAL=1, since the Sigstore services are now stable! By default, Cosign will fetch an identity-based certificate from Fulcio when a signing key is not provided, and upload the signature and signing key to Rekor to provide transparency. The following is the list of breaking changes:

Cosign and Policy-controller with GKE, Artifact Registry and KMS

As soon as I came back from KubeCon NA 2022, my first ever in-person KubeCon, I felt re-energized. What a community, full of people eager to share knowledge and expertise with each others, so inspiring. I mostly attended sessions about security best practices for containers and Kubernetes (that’s what excites me these days!). Secure Software Supply Chain (S3C) was almost mentioned everywhere, for good reasons. Sigstore as a new standard for signing, verifying and protecting software, got its first own SigstoreCon as co-located event and hit the General Availability (GA) milestone.