Sigstore Blog - Sigstore Blog

May 28, 2022

Written by Zachary Newman

Privacy in Sigstore

Photo by Tim Mossholder on Unsplash By default, the keyless signing flow for Sigstore exposes a user’s email: $ rekor-cli search --email zack@example.com \ # not my real email! | wc -l Found matching entries (listed by UUID): 112 Specifically, a user logs in to Fulcio with OIDC. Fulcio issues a short-lived certificate with the SAN set to your email address as reported by the OIDC identity provider, even if your email is not typically exposed on that service itself (for instance, your GitHub email will be exposed, even though it’s not generally public).

Tags: sigstore , privacy , softwaresupplychain , supplychainsecurity

Apr 25, 2022

Written by developer-guy

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity

Securing our software supply chains has become more critical with the rise of software supply chain attacks. Also, over the past few years, container adoption has increased too. In the light of these pieces of information, it has grown the need to sign container images to help prevent supply chain attacks. In addition, most of the containers we are using today, even if we use them in production environments, are vulnerable to supply chain attacks.

Tags: sigstore , cosign , workloadidentity , kms , kyverno

Apr 25, 2022

Written by Zachary Newman

Don’t Panic: A Playbook for Handling Account Compromise with Sigstore

Photo by Tonik on Unsplash Despite your best efforts, you may no longer trust artifacts, keys, or identities when signing software. A container might turn out to have vulnerabilities, a key might be lost, or worse: a trusted account could be compromised. There’s a myth that Sigstore makes revocation harder; in fact, the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation.

Tags: sigstore , cosign , incidentresponse , supplychainsecurity

Jan 28, 2022

Written by Dan Lorenc

Sigstore ❤ Ruby!

We started the Sigstore project with a goal of making key management, certificates, and digital signatures accessible and easy to use for every developer and language community. It’s incredibly exciting to see our tooling and services used by new ecosystems, so we were thrilled to see the recent RFC from Shopify around improving the signing mechanisms on RubyGems using Sigstore. On behalf of the Sigstore community, we’d like to affirm that we’re here to help with this RFC in any way we can!

Tags: sigstore , ruby

Jan 19, 2022

Written by Hayden Blauzvern, Asra Ali

Sigstore: Bring-your-own sTUF with TUF

Users of Sigstore may want to leverage Sigstore tools and infrastructure, but may not want want to rely on Sigstore’s root of trust or all of the components of the public infrastructure. For example, a company may want to maintain a private transparency log for all internal build information but only make entries to a public log for published releases. Or, a user may not want to include their email addresses in a public certificate transparency log.

Tags: sigstore , security , opensource , softwaresupplychain

Newer

Older