Aug 3, 2021

Written by Asra Ali, Appu Goundan

It’s ten o’clock, do you know where your private keys are?

Short-lived certificates are great — a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor!

Tags:  sigstoresecurityopensourcesoftwaresupplychain

Jul 28, 2021

Written by Dan Lorenc

Cosign 1.0!

The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. The community support has been incredible! We’ve added 7 maintainers from 5 organizations, and have merged 394 commits from 32 contributors across 10 organizations. Cosign has been tested on 13 OCI registries and is now packaged in five different package managers. We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.

Tags:  sigstoredockerkubernetessecurity

Jul 20, 2021

Written by Jake Sanders

Cosign 1.0

It’s happening! Cosign’s 1.0 release is slated for July 28. If you were curious before but were hesitant about a pre-release project, now’s a good time to try it out and leave some comments. For the initial release we plan on supporting: * Signing images with KMS (GCP, AWS, Azure, Vault), YubiKeys, and locally stored keys * Verifying image signatures using the same, plus public keys specified by URL * Verifying images in Dockerfiles * Uploading & signing arbitrary blobs (and 📄✍🏻👨🏻‍🦳 🇺🇸SBOMs🦅) * Stable APIs in pkg/ for integrating Cosign into build systems and policy engines

Tags:  sigstore

Jun 30, 2021

Written by Dan Lorenc

Sigstore June Update!

Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry. This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions.

Tags:  sigstoreinfosecsecuritykubernetes

Jun 8, 2021

Written by Dan Lorenc

A New Kind of Trust Root

I’m thrilled to announce that the Sigstore community is holding our first Root Key ceremony on June 18th at 2pm Eastern, and I’m even more thrilled to announce that it will be hosted LIVE by the always incredible DanPOP on his CloudNative.tv show, Spotlight Live. This Trust Root will eventually be used to secure the keys used by the entire Sigstore project, but more importantly we’re planning to make our trust root available for any open source project that wants to use it!

Tags:  sigstoreinfosecsecuritykubernetes