Jul 20, 2021

Written by Jake Sanders

Cosign 1.0

It’s happening! Cosign’s 1.0 release is slated for July 28. If you were curious before but were hesitant about a pre-release project, now’s a good time to try it out and leave some comments. For the initial release we plan on supporting: * Signing images with KMS (GCP, AWS, Azure, Vault), YubiKeys, and locally stored keys * Verifying image signatures using the same, plus public keys specified by URL * Verifying images in Dockerfiles * Uploading & signing arbitrary blobs (and 📄✍🏻👨🏻‍🦳 🇺🇸SBOMs🦅) * Stable APIs in pkg/ for integrating Cosign into build systems and policy engines

Tags:  sigstore

Jun 30, 2021

Written by Dan Lorenc

Sigstore June Update!

Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry. This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions.

Tags:  sigstoreinfosecsecuritykubernetes

Jun 8, 2021

Written by Dan Lorenc

A New Kind of Trust Root

I’m thrilled to announce that the Sigstore community is holding our first Root Key ceremony on June 18th at 2pm Eastern, and I’m even more thrilled to announce that it will be hosted LIVE by the always incredible DanPOP on his CloudNative.tv show, Spotlight Live. This Trust Root will eventually be used to secure the keys used by the entire Sigstore project, but more importantly we’re planning to make our trust root available for any open source project that wants to use it!

Tags:  sigstoreinfosecsecuritykubernetes

May 29, 2021

Written by Dan Lorenc

What’s Next for Sigstore?

Photo by Joshua Hoehne on Unsplash If you’re new to the Sigstore project, we officially launched on March 9th 2021 with a mission of improving the open source supply chain by making it easy to sign and verify code. We’re planning to provide free tools, APIs, and services as a public-benefit/non-profit. This post is to give a quick recap of where we are today, where we’re headed and what we’re focusing on next.

Tags:  sigstorecryptoinfoseckubernetesdocker

May 18, 2021

Written by Dan Lorenc

The Update Framework and You

Why does it need to be so TUF? If you’re anything like me and spend time reading blog posts and GitHub discussions around how to securely package and release software, you’ve probably heard of The Update Framework. Unfortunately, if you’re actually anything like me it probably seemed overwhelming and confusing at first. This blog post explains the mental model I’ve built up for TUF, and some of the concepts that finally made it understandable and digest-able for me.

Tags:  sigstoreinfosecopensourcesecurity