Aug 9, 2022

Written by Fabian Kammel

Verify cosign signatures in go using sigstore/sigstore

After integrating cosign into the release process of Constellation’s CLI, I also wanted to improve the supply chain security of our metadata that are used for attestation. Using cosign CLI for signing and verifying blobs or container images is a well documented process. The sigstore/sigstore project is the common go library for all sigstore services and clients and has documented public functions, but I was unable to find examples on how to use them together.

Tags:  sigstoregogolangcosignedgelesssystems

Aug 9, 2022

Written by Tracy Miranda

Sigstore Update — August 2022

It has been very busy in the Sigstore community over the past few weeks with lots of activity and initiatives progressing at speed. With so many exciting things happening it’s hard to keep up, but here’s a summary of the highlights from the past month. NPM set to adopt Sigstore GitHub just announced a new request for comments (RFC) for linking packages to their source and build environment for the npm package manager.

Tags:  sigstorekeylesssoftwaresupplychainnpmkubecon

Aug 2, 2022

Written by Hayden Blauzvern

Adopting Sigstore Incrementally

Developers, package maintainers, and enterprises that would like to adopt Sigstore may already sign published artifacts. Signers may have existing procedures to securely store and use signing keys. Sigstore can be used to sign artifacts with existing self-managed, long-lived signing keys. Sigstore provides a simple user experience for signing, verification, and generating structured signature metadata for artifacts and container signatures. Sigstore also offers a community-operated, free-to-use transparency log for auditing signature generation.

Tags:  sigstoresecurityopensourcesoftwaresupplychain

Jul 17, 2022

Written by Zachary Newman

Is Sigstore Ready for a Post-Quantum World?

Photo by Anton Maksimov 5642.su on Unsplash A couple of weeks back, NIST made big news in the cryptographic community by announcing that they have selected four quantum-resistant encryption and digital signature algorithms for standardization. In recent years, worries about the threats that quantum computers pose to current encryption algorithms have precipitated a major effort to establish a “post-quantum” (PQ) cryptographic toolkit. NIST’s 99-page full report, which reflects six years of work by a group of expert cryptographers details the algorithms and their performance and security characteristics However, the report omits the answer to the question on every Sigstore user’s mind: is Sigstore ready for a post-quantum world?

Tags:  sigstorenistpostquantumcryptography

May 30, 2022

Written by Luke Hinds

sigstore, blockchain vs transparency logs

Co-authored by Luke Hinds (Red Hat) and Prof Santiago Torres-Arias (Purdue University). Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. *“Why did you chose to use a transparency log and not a blockchain?”* We get this question often, so we figured it’s best to address this head on. It could be best summarised as *‘why would we use blockchain?*’ as opposed to ‘*why did we not use blockchain?

Tags:  sigstoreblockchaindevsecops