Sigstore Blog - Sigstore Blog

Oct 5, 2023

Written by Dan Lorenc

OpenPubkey and Sigstore

Disclaimer: The following is representative of the authors views, and not necessarily that of the sigstore community. OpenPubKey was announced October 4th by Docker and BastionZero as a new Linux Foundation project. It’s a new scheme for using OIDC providers to sign arbitrary objects. It bears a lot of resemblance to Sigstore, so I thought it would be worth taking some time to explain the differences, including some advantages and disadvantages.

Tags: sigstore , crypto , containers , openpubkey , docker

Oct 3, 2023

Written by The Sigstore Technical Steering Committee

npm's Sigstore-powered provenance goes GA

Last week saw the GA release of npm CLI’s native Sigstore functionality, a project over a year in the making. This is a tremendous milestone for the adoption of Sigstore in open source projects and represents huge progress in effecting a cultural shift toward expecting provenance to exist for software components. It also helps move npm toward the best practices articulated by the OpenSSF’s Securing Open Source Repos Working Group in their document “Build Provenance for All Package Registries”.

Tags: sigstore , npm , security , node

Sep 29, 2023

Written by William Woodruff (Trail of Bits), Dustin Ingram (Google)

Announcing sigstore-python 2.0

We are delighted to announce the 2.0 release of sigstore-python, a Python client for signing and verifying Sigstore signatures! $ python -m pip install -U sigstore $ python -m sigstore --version sigstore 2.0.0 This release has been in the works for a while, and contains a number of significant improvements and breaking changes to both the sigstore CLI and Python APIs. We’ve also updated the official sigstore/gh-action-sigstore-python action to use the latest 2.

Tags: sigstore , python , clients

Aug 2, 2023

Written by Hayden Blauzvern (Google), Meredith Lancaster (GitHub), Héctor Fernández (Chainguard)

Trusted Time in Sigstore

Time in Sigstore Time is a critical component of Sigstore. It’s used to verify that a short-lived certificate issued by Fulcio was valid at a previous point, when the artifact was signed. As a reminder, the default signing flow for Sigstore clients includes the following: Signer requests an identity token from an OpenID Connect provider Signer generates an ephemeral keypair Signer sends the public key and identity token to Fulcio, Sigstore’s certificate authority Fulcio issues a short-lived (10 minute expiration) code-signing certificate Signer signs the artifact, and uploads the artifact, the certificate, and signature to Rekor, Sigstore’s transparency log During artifact verification, a client must verify the certificate.

Tags: sigstore , timestamping , rekor

Jul 31, 2023

Written by sigstore TSC

Sigstore Announcement: No Longer Publishing Cosign Releases to GCS Bucket

We are announcing that we will stop publishing Cosign releases to the GCS bucket named cosign-releases. The current v2.1.1 release of Cosign is the last release that will be pushed to the bucket, and public access to the GCS bucket will be removed on October 31st, 2023. Why are we deprecating the GCS bucket? We are deprecating the GCS bucket because we already use GitHub in the Sigstore community, and it is a reliable and secure platform for hosting release artifacts.

Tags: sigstore , cosign

Newer

Older