Aug 11, 2022

Written by Fabian Kammel

Signing and Securing Confidential Kubernetes Clusters in the Cloud with Sigstore

This is a Sigstore case study contributed by Fabian Kammel of Edgeless Systems Confidential computing is an exciting new technology that can help make the public cloud more secure. It protects data stored on leased third-party infrastructure and ensures nobody modifies or intercepts it, whether it resides on the cloud or is being routed to or from your internal assets. But it’s also vital that security solutions like those of Edgeless Systems are secure themselves.

Tags:  sigstoreconfidentialcomputingsoftwaresupplychainkubernetes

Aug 9, 2022

Written by Fabian Kammel

Verify cosign signatures in go using sigstore/sigstore

After integrating cosign into the release process of Constellation’s CLI, I also wanted to improve the supply chain security of our metadata that are used for attestation. Using cosign CLI for signing and verifying blobs or container images is a well documented process. The sigstore/sigstore project is the common go library for all sigstore services and clients and has documented public functions, but I was unable to find examples on how to use them together.

Tags:  sigstoregogolangcosignedgelesssystems

Aug 9, 2022

Written by Tracy Miranda

Sigstore Update — August 2022

It has been very busy in the Sigstore community over the past few weeks with lots of activity and initiatives progressing at speed. With so many exciting things happening it’s hard to keep up, but here’s a summary of the highlights from the past month. NPM set to adopt Sigstore GitHub just announced a new request for comments (RFC) for linking packages to their source and build environment for the npm package manager.

Tags:  sigstorekeylesssoftwaresupplychainnpmkubecon

Aug 2, 2022

Written by Hayden Blauzvern

Adopting Sigstore Incrementally

Developers, package maintainers, and enterprises that would like to adopt Sigstore may already sign published artifacts. Signers may have existing procedures to securely store and use signing keys. Sigstore can be used to sign artifacts with existing self-managed, long-lived signing keys. Sigstore provides a simple user experience for signing, verification, and generating structured signature metadata for artifacts and container signatures. Sigstore also offers a community-operated, free-to-use transparency log for auditing signature generation.

Tags:  sigstoresecurityopensourcesoftwaresupplychain

Jul 17, 2022

Written by Zachary Newman

Is Sigstore Ready for a Post-Quantum World?

Photo by Anton Maksimov 5642.su on Unsplash A couple of weeks back, NIST made big news in the cryptographic community by announcing that they have selected four quantum-resistant encryption and digital signature algorithms for standardization. In recent years, worries about the threats that quantum computers pose to current encryption algorithms have precipitated a major effort to establish a “post-quantum” (PQ) cryptographic toolkit. NIST’s 99-page full report, which reflects six years of work by a group of expert cryptographers details the algorithms and their performance and security characteristics However, the report omits the answer to the question on every Sigstore user’s mind: is Sigstore ready for a post-quantum world?

Tags:  sigstorenistpostquantumcryptography