Oct 1, 2021

Written by Luke Hinds

Sigstore project update — September 2021

Well another month has passed and as per usual in the sigstore world, a lot has happened! Since our last update in August we have over double the amount of contributors working on sigstore! There has been a leap from 46 to 98! wow! KubeCon NA 20201 sigstore will be at KubeCon North America with it’s own booth, so if you’re in person at the event, come and say hi! We will be at booth number S86

Tags:  sigstoresecuritydevsecops

Aug 31, 2021

Written by Luke Hinds

Sigstore Project Update — August 2021

Welcome to our project update for August. As always the community is continuing to expand. We are now close to 600 members in our slack workspace. We now have 46 contributors and are growing each day. The month of August saw 254 commits and 526k lines of code were changed! Lots of exciting things are happening, read more for our project updates and our presence at KubeCon, NA. cosign Cosign hit 1.

Tags:  sigstoresecuritydevsecops

Aug 3, 2021

Written by Asra Ali, Appu Goundan

It’s ten o’clock, do you know where your private keys are?

Short-lived certificates are great — a short lifetime removes the need for complicated revocation policies and reduces an attacker’s window of opportunity. Yet using short-lived certificates in the software supply chain brings a lifetime problem: how can users trust artifacts after the certificate’s expiration? Repeatedly signing artifacts and requesting certificates is tedious. Really, distributors only need to prove that artifacts were signed when the certificate was valid… with timestamps! Enter SigStore’s new, free, open-source RFC 3161 timestamping service on the transparency log Rekor!

Tags:  sigstoresecurityopensourcesoftwaresupplychain

Jul 28, 2021

Written by Dan Lorenc

Cosign 1.0!

The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. The community support has been incredible! We’ve added 7 maintainers from 5 organizations, and have merged 394 commits from 32 contributors across 10 organizations. Cosign has been tested on 13 OCI registries and is now packaged in five different package managers. We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.

Tags:  sigstoredockerkubernetessecurity

Jul 20, 2021

Written by Jake Sanders

Cosign 1.0

It’s happening! Cosign’s 1.0 release is slated for July 28. If you were curious before but were hesitant about a pre-release project, now’s a good time to try it out and leave some comments. For the initial release we plan on supporting: * Signing images with KMS (GCP, AWS, Azure, Vault), YubiKeys, and locally stored keys * Verifying image signatures using the same, plus public keys specified by URL * Verifying images in Dockerfiles * Uploading & signing arbitrary blobs (and 📄✍🏻👨🏻‍🦳 🇺🇸SBOMs🦅) * Stable APIs in pkg/ for integrating Cosign into build systems and policy engines

Tags:  sigstore