May 17, 2021

Written by Dan Lorenc

How to Sign a Release of OSS

I’ve heard a TON of questions about how to sign an open source software release lately. Once you get past the impossible tooling/crypto questions, you quickly realize you’ve barely scratched the surface in complexity. These problems aren’t all specific to OSS, but community-driven projects do face some unique challenges that stretch beyond technical and into the philosophical realm. What does it mean to sign a release? Who should do it? Where should the keys live?

Tags:  sigstoreinfoseckubernetessecurity

May 13, 2021

Written by Dan Lorenc

Cosign Image Signatures

The protocol and format explained! (Updated June 5th 2021) In my last post, I showed how cosign can be used to sign and verify container images today. In this post, I’ll explain how it works at each step of the way. Life of a Cosign Signature We’ll start with cosign generate-key-pair . This command creates an ECDSA-P256 key pair (a private and a public key). The public key bytes are encoded in a PKIX formatted file.

Tags:  sigstoreinfoseckubernetessecurity

May 11, 2021

Written by Dan Lorenc

Cosign — Signed Container Images

I’ve seen a lot of questions about signing container images in the last few months, and unfortunately there aren’t many great options or answers today. So I decided to write a simple tool called cosign. It can sign container images! Here’s what it looks like to use: You can get it installed and start signing containers in minutes. There are almost no configuration options, by design. There is only one supported signature algorithm (ECDSA-P256) and one payload format (Red Hat Simple Signing).

Tags:  sigstoregolangkubernetessecurity

May 1, 2021

Written by Dan Lorenc

A Safer curl | bash ?

This post is about using container registries (Docker registries, OCI registries, whatever you want to call them) for the storage and distribution of generic, non-container-related binary artifacts. I explain the reasoning below, but first: code and demos Demos! Here’s a quick walkthrough of a draft tool (still WIP!) to securely fetch published contents from an OCI registry, called sget. sgetis part of the sigstore project, and is a standalone client that allows you to retrieve scripts or binaries from any OCI registry.

Tags:  sigstoreinfosecgolangsoftwaresupplychain

Apr 23, 2021

Written by Dan Lorenc

Sigstore Project Update — April 2021

Photo by Brett Jordan on Unsplash Time flies in open source! This post provides a few updates on Sigstore since our last update in March. We’ve been lucky to continue welcoming new community members and contributors, with 39 contributors from over 15 companies and our Slack channel is rapidly approaching 300 members! Let’s jump into some more project updates: Rekor As mentioned above, the Rekor binary transparency log now natively supports signed JARs.

Tags:  sigstorecryptocontainerskubernetesdocker