Jul 28, 2021

Written by Dan Lorenc

Cosign 1.0!

The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. The community support has been incredible! We’ve added 7 maintainers from 5 organizations, and have merged 394 commits from 32 contributors across 10 organizations. Cosign has been tested on 13 OCI registries and is now packaged in five different package managers. We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.

Tags:  sigstoredockerkubernetessecurity

Jul 20, 2021

Written by Jake Sanders

Cosign 1.0

It’s happening! Cosign’s 1.0 release is slated for July 28. If you were curious before but were hesitant about a pre-release project, now’s a good time to try it out and leave some comments. For the initial release we plan on supporting: * Signing images with KMS (GCP, AWS, Azure, Vault), YubiKeys, and locally stored keys * Verifying image signatures using the same, plus public keys specified by URL * Verifying images in Dockerfiles * Uploading & signing arbitrary blobs (and 📄✍🏻👨🏻‍🦳 🇺🇸SBOMs🦅) * Stable APIs in pkg/ for integrating Cosign into build systems and policy engines

Tags:  sigstore

Jun 30, 2021

Written by Dan Lorenc

Sigstore June Update!

Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry. This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions.

Tags:  sigstoreinfosecsecuritykubernetes

Jun 8, 2021

Written by Dan Lorenc

A New Kind of Trust Root

I’m thrilled to announce that the Sigstore community is holding our first Root Key ceremony on June 18th at 2pm Eastern, and I’m even more thrilled to announce that it will be hosted LIVE by the always incredible DanPOP on his CloudNative.tv show, Spotlight Live. This Trust Root will eventually be used to secure the keys used by the entire Sigstore project, but more importantly we’re planning to make our trust root available for any open source project that wants to use it!

Tags:  sigstoreinfosecsecuritykubernetes

May 29, 2021

Written by Dan Lorenc

What’s Next for Sigstore?

Photo by Joshua Hoehne on Unsplash If you’re new to the Sigstore project, we officially launched on March 9th 2021 with a mission of improving the open source supply chain by making it easy to sign and verify code. We’re planning to provide free tools, APIs, and services as a public-benefit/non-profit. This post is to give a quick recap of where we are today, where we’re headed and what we’re focusing on next.

Tags:  sigstorecryptoinfoseckubernetesdocker