Announcing sigstore-python 2.0

We are delighted to announce the 2.0 release of sigstore-python, a Python client for signing and verifying Sigstore signatures! $ python -m pip install -U sigstore $ python -m sigstore --version sigstore 2.0.0 This release has been in the works for a while, and contains a number of significant improvements and breaking changes to both the sigstore CLI and Python APIs. We’ve also updated the official sigstore/gh-action-sigstore-python action to use the latest 2.

Trusted Time in Sigstore

Time in Sigstore Time is a critical component of Sigstore. It’s used to verify that a short-lived certificate issued by Fulcio was valid at a previous point, when the artifact was signed. As a reminder, the default signing flow for Sigstore clients includes the following: Signer requests an identity token from an OpenID Connect provider Signer generates an ephemeral keypair Signer sends the public key and identity token to Fulcio, Sigstore’s certificate authority Fulcio issues a short-lived (10 minute expiration) code-signing certificate Signer signs the artifact, and uploads the artifact, the certificate, and signature to Rekor, Sigstore’s transparency log During artifact verification, a client must verify the certificate.

Sigstore Announcement: No Longer Publishing Cosign Releases to GCS Bucket

We are announcing that we will stop publishing Cosign releases to the GCS bucket named cosign-releases. The current v2.1.1 release of Cosign is the last release that will be pushed to the bucket, and public access to the GCS bucket will be removed on October 31st, 2023. Why are we deprecating the GCS bucket? We are deprecating the GCS bucket because we already use GitHub in the Sigstore community, and it is a reliable and secure platform for hosting release artifacts.

Announcing the Sigstore Clients Special Interest Group (sig-clients)

We are delighted to announce the creation of the Clients Special Interest Group (sig-clients) for the Sigstore project. This exciting new initiative marks the first SIG for Sigstore and serves as an experiment in organizing efforts across the Sigstore project. The sig-clients repository is your one-stop shop for all things related to Sigstore clients across various languages and ecosystems. This group has the following mission: Make Sigstore clients across languages/ecosystems easy-to-write, compatible, and secure by providing shared designs/documentation, data formats, and test suites.

Bringing Privacy and Security Full Circle Through Automated Authentication

This is a Sigstore case study contributed by Max Furman of Smallstep No matter how well you think you secure your software supply chain, the possibility of a breach is always in the back of your mind. We recently had a moment of panic where we thought, “Did someone get access to some things we stored in secrets?” I wondered what damage they’d done and how quickly we could repair it.