May 29, 2021

Written by Dan Lorenc

What’s Next for Sigstore?

Photo by Joshua Hoehne on Unsplash If you’re new to the Sigstore project, we officially launched on March 9th 2021 with a mission of improving the open source supply chain by making it easy to sign and verify code. We’re planning to provide free tools, APIs, and services as a public-benefit/non-profit. This post is to give a quick recap of where we are today, where we’re headed and what we’re focusing on next.

Tags:  sigstorecryptoinfoseckubernetesdocker

May 18, 2021

Written by Dan Lorenc

The Update Framework and You

Why does it need to be so TUF? If you’re anything like me and spend time reading blog posts and GitHub discussions around how to securely package and release software, you’ve probably heard of The Update Framework. Unfortunately, if you’re actually anything like me it probably seemed overwhelming and confusing at first. This blog post explains the mental model I’ve built up for TUF, and some of the concepts that finally made it understandable and digest-able for me.

Tags:  sigstoreinfosecopensourcesecurity

May 17, 2021

Written by Dan Lorenc

How to Sign a Release of OSS

I’ve heard a TON of questions about how to sign an open source software release lately. Once you get past the impossible tooling/crypto questions, you quickly realize you’ve barely scratched the surface in complexity. These problems aren’t all specific to OSS, but community-driven projects do face some unique challenges that stretch beyond technical and into the philosophical realm. What does it mean to sign a release? Who should do it? Where should the keys live?

Tags:  sigstoreinfoseckubernetessecurity

May 13, 2021

Written by Dan Lorenc

Cosign Image Signatures

The protocol and format explained! (Updated June 5th 2021) In my last post, I showed how cosign can be used to sign and verify container images today. In this post, I’ll explain how it works at each step of the way. Life of a Cosign Signature We’ll start with cosign generate-key-pair . This command creates an ECDSA-P256 key pair (a private and a public key). The public key bytes are encoded in a PKIX formatted file.

Tags:  sigstoreinfoseckubernetessecurity

May 11, 2021

Written by Dan Lorenc

Cosign — Signed Container Images

I’ve seen a lot of questions about signing container images in the last few months, and unfortunately there aren’t many great options or answers today. So I decided to write a simple tool called cosign. It can sign container images! Here’s what it looks like to use: You can get it installed and start signing containers in minutes. There are almost no configuration options, by design. There is only one supported signature algorithm (ECDSA-P256) and one payload format (Red Hat Simple Signing).

Tags:  sigstoregolangkubernetessecurity