Sigstore Update — September 2022

SigstoreCon The SigstoreCon call-for-papers closed last month and the program committee has been busy ranking the 23 great submissions received. Many thanks to all who submitted talks. And thanks to our program committee members: Priya Wadhwa, Lily Sturman, Appu Goundan, Jacques Chester, and Batuhan Apaydin. The program will be announced on September 13. We hope to see you at SigstoreCon our first official event, on October 25 in Detroit, in co-location with KubeCon + CloudNativeCon North America.

Signing and Securing Confidential Kubernetes Clusters in the Cloud with Sigstore

This is a Sigstore case study contributed by Fabian Kammel of Edgeless Systems Confidential computing is an exciting new technology that can help make the public cloud more secure. It protects data stored on leased third-party infrastructure and ensures nobody modifies or intercepts it, whether it resides on the cloud or is being routed to or from your internal assets. But it’s also vital that security solutions like those of Edgeless Systems are secure themselves.

Verify cosign signatures in go using sigstore/sigstore

After integrating cosign into the release process of Constellation’s CLI, I also wanted to improve the supply chain security of our metadata that are used for attestation. Using cosign CLI for signing and verifying blobs or container images is a well documented process. The sigstore/sigstore project is the common go library for all sigstore services and clients and has documented public functions, but I was unable to find examples on how to use them together.

Sigstore Update — August 2022

It has been very busy in the Sigstore community over the past few weeks with lots of activity and initiatives progressing at speed. With so many exciting things happening it’s hard to keep up, but here’s a summary of the highlights from the past month. NPM set to adopt Sigstore GitHub just announced a new request for comments (RFC) for linking packages to their source and build environment for the npm package manager.

Adopting Sigstore Incrementally

Developers, package maintainers, and enterprises that would like to adopt Sigstore may already sign published artifacts. Signers may have existing procedures to securely store and use signing keys. Sigstore can be used to sign artifacts with existing self-managed, long-lived signing keys. Sigstore provides a simple user experience for signing, verification, and generating structured signature metadata for artifacts and container signatures. Sigstore also offers a community-operated, free-to-use transparency log for auditing signature generation.