Aug 27, 2024

Written by Zach Steindler (GitHub)

cosign Verification of npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance

One of the features of the cosign v2.4.0 release allows you to verify attestations in the bundle format used by npm provenance, GitHub Artifact Attestations, and Homebrew provenance. This is part of all Sigstore clients supporting the bundle format as outlined in the community roadmap. We’ll show how to perform that verification for each ecosystem, and explain some of the details involved. You’ll notice these examples follow the same general pattern of getting an artifact to verify, getting the bundle that contains the signed attestation about that artifact, and then providing a verification policy to cosign via command line flags.

Tags:  sigstorecosignsoftwaresupplychainsecurity

Aug 14, 2024

Written by Sigstore TSC & Community Chair

Announcing SigstoreCon: Supply Chain Day

Announcing SigstoreCon: Supply Chain Day! Join us for SigstoreCon: Supply Chain Day! Co-located with Kubecon NA 2024 in Salt Lake City, attendees will learn about simplifying signing and verification for digital artifacts using Sigstore, as well as related software supply chain efforts such as SLSA, The Update Framework, binary transparency, and more! CFP deadline is September 13. Learn more and register for SigstoreCon here! Topics for Talks We are inviting submissions for Session Presentations (30 min) and Lightning Talks (10 min).

Tags:  sigstorekubeconsupplychainsecuritysigstorecon

Jun 26, 2024

Written by Zach Steindler (GitHub)

sigstore-go verification and signing now in beta

sigstore-go verification and signing now in beta Recent sigstore-go releases include signing support, as well moving both the verification and signing API from unstable to beta. sigstore-go is used in several open source projects like the SLSA verifier, the GitHub CLI, and Stacklok Minder. Cosign and sigstore-go are similar in that they are both written in Go, but the main differences are that sigstore-go is not a full-fledged CLI, and that it supports the protobuf bundle format.

Tags:  sigstoregoclients

May 14, 2024

Written by William Woodruff (Trail of Bits), Hayden Blauzvern (Google)

Homebrew's Sigstore-powered provenance is in beta

Last November, Alpha-Omega and Trail of Bits announced a collaboration to bring build provenance to homebrew-core. Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now using Sigstore to cryptographically attest to all bottles built in the official Homebrew CI. This is aligned with Sigstore’s mission: to support frictionless and transparent provenance on all artifact registries. Homebrew’s build provenance follows last year’s npm provenance feature, making Homebrew the second major packaging ecosystem to adopt Sigstore!

Tags:  sigstoresecurityhomebrew

Mar 14, 2024

Written by Sigstore TSC & Community Chair

Sigstore - An OpenSSF Graduated Project

Sigstore Graduates: A Monumental Step Towards Secure Software Supply chain security took a giant leap forward this month as Sigstore officially became a graduated project within the Open Source Security Foundation (OpenSSF). This milestone is a testament to Sigstore’s maturity, adoption, and its undeniable impact on making the creation and distribution of software more trustworthy. What is Sigstore? For those unfamiliar, Sigstore is a suite of tools designed to streamline secure software signing & verification of artifacts such as binaries, containers and attestations.

Tags:  sigstoresecuresupplychain