May 30, 2022

Written by Luke Hinds

sigstore, blockchain vs transparency logs

Co-authored by Luke Hinds (Red Hat) and Prof Santiago Torres-Arias (Purdue University). Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. *“Why did you chose to use a transparency log and not a blockchain?”* We get this question often, so we figured it’s best to address this head on. It could be best summarised as *‘why would we use blockchain?*’ as opposed to ‘*why did we not use blockchain?

Tags:  sigstoreblockchaindevsecops

May 28, 2022

Written by Zachary Newman

Privacy in Sigstore

Photo by Tim Mossholder on Unsplash By default, the keyless signing flow for Sigstore exposes a user’s email: $ rekor-cli search --email zack@example.com \ # not my real email! | wc -l Found matching entries (listed by UUID): 112 Specifically, a user logs in to Fulcio with OIDC. Fulcio issues a short-lived certificate with the SAN set to your email address as reported by the OIDC identity provider, even if your email is not typically exposed on that service itself (for instance, your GitHub email will be exposed, even though it’s not generally public).

Tags:  sigstoreprivacysoftwaresupplychainsupplychainsecurity

Apr 25, 2022

Written by developer-guy

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity

Securing our software supply chains has become more critical with the rise of software supply chain attacks. Also, over the past few years, container adoption has increased too. In the light of these pieces of information, it has grown the need to sign container images to help prevent supply chain attacks. In addition, most of the containers we are using today, even if we use them in production environments, are vulnerable to supply chain attacks.

Tags:  sigstorecosignworkloadidentitykmskyverno

Apr 25, 2022

Written by Zachary Newman

Don’t Panic: A Playbook for Handling Account Compromise with Sigstore

Photo by Tonik on Unsplash Despite your best efforts, you may no longer trust artifacts, keys, or identities when signing software. A container might turn out to have vulnerabilities, a key might be lost, or worse: a trusted account could be compromised. There’s a myth that Sigstore makes revocation harder; in fact, the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation.

Tags:  sigstorecosignincidentresponsesupplychainsecurity

Jan 28, 2022

Written by Dan Lorenc

Sigstore ❤ Ruby!

We started the Sigstore project with a goal of making key management, certificates, and digital signatures accessible and easy to use for every developer and language community. It’s incredibly exciting to see our tooling and services used by new ecosystems, so we were thrilled to see the recent RFC from Shopify around improving the signing mechanisms on RubyGems using Sigstore. On behalf of the Sigstore community, we’d like to affirm that we’re here to help with this RFC in any way we can!

Tags:  sigstoreruby