Sigstore January Roundup

Welcome to the January edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings. Events KubeCon Europe 2024 The next KubeCon Europe will be held on 19th – 22nd March. There are serveral Sigstore related talks and events planned for KubeCon Europe, including: Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo Navigating the Software Supply Chain Defense Landscape - Marina Moore & Aditya Sirish A Yelgundhalli, New York University Contribfest: Enable Additional Signing Mechanisms for TUF and in-toto: No Cryptography Skills Required FOSDEM 2024 The next FOSDEM will be held in Brussels, Belgium on the 3rd & 4th February 2024 along with a talk on Sigstore and SLSA by John Viega.

Sigstore November Roundup

Welcome to the November edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings. Sigstore Google Season of Docs 2023 Case Study A very comprehisive case study has been published on the Sigstore docs wiki about the Sigstore project’s participation in the 2023 program. Thank you Lisa Tagliaferri for all your hard work on this and making it a success! Latest Releases Rekor v1.

OpenPubkey and Sigstore

Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. OpenPubKey was announced October 4th by Docker and BastionZero as a new Linux Foundation project. It’s a new scheme for using OIDC providers to sign arbitrary objects. It bears a lot of resemblance to Sigstore, so I thought it would be worth taking some time to explain the differences, including some advantages and disadvantages.

Announcing sigstore-go

Announcing sigstore-go Today we’re excited to announce a new open source library, sigstore-go, that represents the future of Sigstore’s support for the Go programming language. Since the beginning, Sigstore has been primarily written in Go but there has been a gap over the past year or so since we established the Protobufs-based bundle format: the de facto standard client (Cosign) lacks support for it. Cosign-the-library is also heavily focused on OCI use cases, which makes it difficult for library integrators who want to limit their implementations to core sign/verify flows and it also supports a wide variety of verification options, which creates potentially confusing duplication.

npm's Sigstore-powered provenance goes GA

Last week saw the GA release of npm CLI’s native Sigstore functionality, a project over a year in the making. This is a tremendous milestone for the adoption of Sigstore in open source projects and represents huge progress in effecting a cultural shift toward expecting provenance to exist for software components. It also helps move npm toward the best practices articulated by the OpenSSF’s Securing Open Source Repos Working Group in their document “Build Provenance for All Package Registries”.