Sigstore Blog - Sigstore Blog

Apr 25, 2022

Written by developer-guy

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity

Securing our software supply chains has become more critical with the rise of software supply chain attacks. Also, over the past few years, container adoption has increased too. In the light of these pieces of information, it has grown the need to sign container images to help prevent supply chain attacks. In addition, most of the containers we are using today, even if we use them in production environments, are vulnerable to supply chain attacks.

Tags: sigstore , cosign , workloadidentity , kms , kyverno

Jan 28, 2022

Written by Dan Lorenc

Sigstore ❤ Ruby!

We started the Sigstore project with a goal of making key management, certificates, and digital signatures accessible and easy to use for every developer and language community. It’s incredibly exciting to see our tooling and services used by new ecosystems, so we were thrilled to see the recent RFC from Shopify around improving the signing mechanisms on RubyGems using Sigstore. On behalf of the Sigstore community, we’d like to affirm that we’re here to help with this RFC in any way we can!

Tags: sigstore , ruby

Jan 19, 2022

Written by Hayden Blauzvern, Asra Ali

Sigstore: Bring-your-own sTUF with TUF

Users of Sigstore may want to leverage Sigstore tools and infrastructure, but may not want want to rely on Sigstore’s root of trust or all of the components of the public infrastructure. For example, a company may want to maintain a private transparency log for all internal build information but only make entries to a public log for published releases. Or, a user may not want to include their email addresses in a public certificate transparency log.

Tags: sigstore , security , opensource , softwaresupplychain

Jan 10, 2022

Written by Santiago Torres-Arias

Celebrating 1,000,000 entries in Rekor

We’ve finally reached a million entries! We hit a million entries by the end of 2021: rekor-cli get — log-index 1000000 LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d Index: 1000000 IntegratedTime: 2021–12–27T21:34:27Z UUID: abb93264122dc2eb6da3ac77957978dda3ceb3521ab52cdff8490b23eaf791c1 As a double milestone — the turn of the year and the next order of magnitude — this is a good opportunity to look into what’s become of the Sigstore ecosystem since its inception. Throughout the last year, we’ve seen a lot of different initiatives, new types of signatures added, tools, major features, and more from the whole community.

Tags: sigstore , softwaresupplychain , softwareengineering

Oct 29, 2021

Written by Dan Lorenc

Spooky Updates for Sigstore!

October is almost done, so it’s time for another update! The supply chains are clearly haunted, so this one has a spooky theme. The community is still growing quickly, and the fancy new “Contributor Strength” dashboard reflects it! In other numbers, we’re at 820 commits from 85 committers, and our slack channel has reached 710 members! Keep the PRs coming everyone! The Sigstore talk at Kubecon went very well, and the Sigstore booth was a huge success!

Tags: sigstore , infosec , security

Newer

Older