Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore

In October 2022, the Sigstore project announced the General Availability of its free software signing service giving open source communities access to production-grade services for artifact signing and verification. As the project matures, so do the language client integrations that are actively being developed. In January 2023, sigstore-python announced the 1.0 version of Sigstore for Python. The Java community has always taken a mature approach to security. So it should come as no surprise that there is plenty of activity towards integrating Sigstore into the existing ecosystem and offering first-class support for software signing and verification with Sigstore.

Sigstore January Roundup

This month, we are thrilled to have announced the 1.0 release of sigstore-python. This project started a year ago to provide a Sigstore-compatible client similar to cosign, but built entirely with Python and easily adoptable by the Python ecosystem. A big thank you to all the contributors and maintainers for making it to 1.0! Read more Latest Blog Posts Thank you to Andrew, Felix and Zachary for contributing the following blog posts this month.

A Guide to Running Sigstore Locally

Co-authored with Andrew Block A key concept in Sigstore is its availability. Anyone can leverage the hosted tooling to sign, publish and verify assets and incorporate it into their security processes. In a corporate context with private repositories and private artifacts as well as restricted access to external resources, it must be questioned whether it makes sense to use the public Sigstore deployment. Sensitive information might be exposed. Given the principles of the Sigstore architecture, it cannot be erased or fenced off.

Announcing the 1.0 release of sigstore-python

The sigstore-python project began 1 year ago in January 2022 with the goal of providing a Sigstore-compatible client similar to cosign, but built entirely with Python and easily adoptable by the Python ecosystem. Today, thanks to the support of the community and work of 18 unique contributors, we’re excited to announce a usable and reference-quality 1.0 stable release of that client, which includes an importable Python API as well as a fully functional CLI.

Why you can’t use Sigstore without Sigstore

Photo by C Dustin on Unsplash I was delighted to see a recent preprint that mentioned Sigstore appear on the IACR’s Cryptology ePrint Archive. The reason that we published an academic paper, Sigstore: Software Signing for Everybody, was to encourage the scrutiny of the research community. Progress in the field of computer security only comes from the back-and-forth between proposed defenses and offensive analyses of those techniques, and we welcome third-party analysis of the project.