Jun 30, 2021

Written by Dan Lorenc

Sigstore June Update!

Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry. This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions.

Tags:  sigstoreinfosecsecuritykubernetes

Jun 8, 2021

Written by Dan Lorenc

A New Kind of Trust Root

I’m thrilled to announce that the Sigstore community is holding our first Root Key ceremony on June 18th at 2pm Eastern, and I’m even more thrilled to announce that it will be hosted LIVE by the always incredible DanPOP on his CloudNative.tv show, Spotlight Live. This Trust Root will eventually be used to secure the keys used by the entire Sigstore project, but more importantly we’re planning to make our trust root available for any open source project that wants to use it!

Tags:  sigstoreinfosecsecuritykubernetes

May 29, 2021

Written by Dan Lorenc

What’s Next for Sigstore?

Photo by Joshua Hoehne on Unsplash If you’re new to the Sigstore project, we officially launched on March 9th 2021 with a mission of improving the open source supply chain by making it easy to sign and verify code. We’re planning to provide free tools, APIs, and services as a public-benefit/non-profit. This post is to give a quick recap of where we are today, where we’re headed and what we’re focusing on next.

Tags:  sigstorecryptoinfoseckubernetesdocker

May 18, 2021

Written by Dan Lorenc

The Update Framework and You

Why does it need to be so TUF? If you’re anything like me and spend time reading blog posts and GitHub discussions around how to securely package and release software, you’ve probably heard of The Update Framework. Unfortunately, if you’re actually anything like me it probably seemed overwhelming and confusing at first. This blog post explains the mental model I’ve built up for TUF, and some of the concepts that finally made it understandable and digest-able for me.

Tags:  sigstoreinfosecopensourcesecurity

May 17, 2021

Written by Dan Lorenc

How to Sign a Release of OSS

I’ve heard a TON of questions about how to sign an open source software release lately. Once you get past the impossible tooling/crypto questions, you quickly realize you’ve barely scratched the surface in complexity. These problems aren’t all specific to OSS, but community-driven projects do face some unique challenges that stretch beyond technical and into the philosophical realm. What does it mean to sign a release? Who should do it? Where should the keys live?

Tags:  sigstoreinfoseckubernetessecurity