Sep 14, 2022

Written by Tracy Miranda

SigstoreCon Program Announced

This year we are hosting the very first Sigtorecon in Detroit, Michigan as part of Kubecon + CloudNativeCon North America. The event will take place on October 25th 2022. SigstoreCon is a one-day vendor neutral conference organized by the Sigstore community and focused on all things Sigstore. We’re happy to announce the program for the first-ever SigstoreCon is now ready! Thank you to everyone who took the time to submit a talk.

Tags:  sigstorekubeconsecuresoftwaresupplychainsecurity

Sep 8, 2022

Written by Tracy Miranda

Sigstore Update — September 2022

SigstoreCon The SigstoreCon call-for-papers closed last month and the program committee has been busy ranking the 23 great submissions received. Many thanks to all who submitted talks. And thanks to our program committee members: Priya Wadhwa, Lily Sturman, Appu Goundan, Jacques Chester, and Batuhan Apaydin. The program will be announced on September 13. We hope to see you at SigstoreCon our first official event, on October 25 in Detroit, in co-location with KubeCon + CloudNativeCon North America.

Tags:  sigstorejavascriptsoftwaresecuritysoftwaresupplychainkubecon

Aug 11, 2022

Written by Fabian Kammel

Signing and Securing Confidential Kubernetes Clusters in the Cloud with Sigstore

This is a Sigstore case study contributed by Fabian Kammel of Edgeless Systems Confidential computing is an exciting new technology that can help make the public cloud more secure. It protects data stored on leased third-party infrastructure and ensures nobody modifies or intercepts it, whether it resides on the cloud or is being routed to or from your internal assets. But it’s also vital that security solutions like those of Edgeless Systems are secure themselves.

Tags:  sigstoreconfidentialcomputingsoftwaresupplychainkubernetes

Aug 9, 2022

Written by Fabian Kammel

Verify cosign signatures in go using sigstore/sigstore

After integrating cosign into the release process of Constellation’s CLI, I also wanted to improve the supply chain security of our metadata that are used for attestation. Using cosign CLI for signing and verifying blobs or container images is a well documented process. The sigstore/sigstore project is the common go library for all sigstore services and clients and has documented public functions, but I was unable to find examples on how to use them together.

Tags:  sigstoregogolangcosignedgelesssystems

Aug 9, 2022

Written by Tracy Miranda

Sigstore Update — August 2022

It has been very busy in the Sigstore community over the past few weeks with lots of activity and initiatives progressing at speed. With so many exciting things happening it’s hard to keep up, but here’s a summary of the highlights from the past month. NPM set to adopt Sigstore GitHub just announced a new request for comments (RFC) for linking packages to their source and build environment for the npm package manager.

Tags:  sigstorekeylesssoftwaresupplychainnpmkubecon