Aug 2, 2022

Written by Hayden Blauzvern

Adopting Sigstore Incrementally

Developers, package maintainers, and enterprises that would like to adopt Sigstore may already sign published artifacts. Signers may have existing procedures to securely store and use signing keys. Sigstore can be used to sign artifacts with existing self-managed, long-lived signing keys. Sigstore provides a simple user experience for signing, verification, and generating structured signature metadata for artifacts and container signatures. Sigstore also offers a community-operated, free-to-use transparency log for auditing signature generation.

Tags:  sigstoresecurityopensourcesoftwaresupplychain

Jul 17, 2022

Written by Zachary Newman

Is Sigstore Ready for a Post-Quantum World?

Photo by Anton Maksimov 5642.su on Unsplash A couple of weeks back, NIST made big news in the cryptographic community by announcing that they have selected four quantum-resistant encryption and digital signature algorithms for standardization. In recent years, worries about the threats that quantum computers pose to current encryption algorithms have precipitated a major effort to establish a “post-quantum” (PQ) cryptographic toolkit. NIST’s 99-page full report, which reflects six years of work by a group of expert cryptographers details the algorithms and their performance and security characteristics However, the report omits the answer to the question on every Sigstore user’s mind: is Sigstore ready for a post-quantum world?

Tags:  sigstorenistpostquantumcryptography

May 30, 2022

Written by Luke Hinds

sigstore, blockchain vs transparency logs

Co-authored by Luke Hinds (Red Hat) and Prof Santiago Torres-Arias (Purdue University). Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. *“Why did you chose to use a transparency log and not a blockchain?”* We get this question often, so we figured it’s best to address this head on. It could be best summarised as *‘why would we use blockchain?*’ as opposed to ‘*why did we not use blockchain?

Tags:  sigstoreblockchaindevsecops

May 28, 2022

Written by Zachary Newman

Privacy in Sigstore

Photo by Tim Mossholder on Unsplash By default, the keyless signing flow for Sigstore exposes a user’s email: $ rekor-cli search --email zack@example.com \ # not my real email! | wc -l Found matching entries (listed by UUID): 112 Specifically, a user logs in to Fulcio with OIDC. Fulcio issues a short-lived certificate with the SAN set to your email address as reported by the OIDC identity provider, even if your email is not typically exposed on that service itself (for instance, your GitHub email will be exposed, even though it’s not generally public).

Tags:  sigstoreprivacysoftwaresupplychainsupplychainsecurity

Apr 25, 2022

Written by Zachary Newman

Don’t Panic: A Playbook for Handling Account Compromise with Sigstore

Photo by Tonik on Unsplash Despite your best efforts, you may no longer trust artifacts, keys, or identities when signing software. A container might turn out to have vulnerabilities, a key might be lost, or worse: a trusted account could be compromised. There’s a myth that Sigstore makes revocation harder; in fact, the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation.

Tags:  sigstorecosignincidentresponsesupplychainsecurity