Oct 25, 2022

Written by Priya Wadhwa

Sigstore Announces General Availability for Rekor and Fulcio

Sigstore is excited to announce general availability (GA) for the Rekor transparency log and Fulcio certificate authority public benefit services! The community has been working hard all year to accomplish this milestone, and we are thrilled that open source communities can now confidently rely on Sigstore for production grade stable services for artifact signing and verification. While the Sigstore community has maintained a public instance since early 2021, the services were operated on a best-effort basis and maintainers periodically had to make breaking changes or reset data.

Tags:  sigstorepythonsigstorecongarekor

Oct 22, 2022

Written by Sigstore

Sigstore Proves That Effective Supply Chain Security Doesn’t Have to Hurt

This is a Sigstore case study contributed by Brandon Gulla, CTO at Rancher Government Solutions Traditionally, everyone in IT assumed good security had to hurt a little bit. If it didn’t hurt, security wasn’t strong enough. But computing trends in software supply chains have shifted in recent years, moving toward centralized development and software factories. When you have that common infrastructure throughout the organization, you can isolate a lot of that pain within the process — without too much developer interaction and disruption.

Tags:  sigstoresupplychainsecuritycasestudy

Oct 12, 2022

Written by Sigstore

Sigstore October Roundup

Technical Steering Committee: New Member Thank you, Dan Lorenc, for your time on the Technical Steering Committee (TSC)! Sigstore is where it is today thanks to your help. We also want to give a big welcome to Priya Wadhwa who is replacing Dan on the TSC! We know you’ll also be great at moving Sigstore in the right direction. SigstoreCon The SigstoreCon program has been announced! We are thrilled to have representatives from 14 different companies speaking at the event, namely: Autodesk, Chainguard, Cycode, Datadog, Edgeless Systems, GitHub, Google, IBM Research, InfluxData, Nirmata, Red Hat, Trail of Bits, Upgrade, and VMware.

Tags:  sigstorehacktoberfestsigstoreconreleasessecuresupplychain

Oct 10, 2022

Written by Hayden Blauzvern

How Sigstore quickly patched an upstream vulnerability

Summary On October 3, 2022, Dex, the federated identity provider that Sigstore uses to issue identity tokens, published CVE-2022-39222 with a GitHub Security Advisory. Sigstore was vulnerable to this CVE, but we were able to quickly mitigate the vulnerability in June before an official fix was published. Details On June 13, 2022, Joern Schneeweisz from the GitLab Security Research Team disclosed a vulnerability to Sigstore where an attacker executing a phishing campaign against a user can acquire a user’s identity token through a backchannel.

Tags:  sigstoresecurityopensourcesupplychain

Sep 30, 2022

Written by Sigstore

Contribute to Sigstore during Hacktoberfest 2022!

This year, Sigstore is participating in Hacktoberfest for the first time! What is Hacktoberfest? Hacktoberfest is a month-long celebration that encourages people to contribute to open source. Digital Ocean, along with its partners, hosts it every year. Who can participate? Everyone and anyone is welcome to participate in Hacktoberfest (and to contribute to Sigstore). The first 40,000 participants (maintainers and contributors) who complete Hacktoberfest can elect to receive one of two prizes: a tree planted in their name, or the Hacktoberfest 2022 t-shirt.

Tags:  sigstorehacktoberfestsigstoreconreleasessecuresupplychain