Jan 6, 2023

Written by Zachary Newman

Why you can’t use Sigstore without Sigstore

Photo by C Dustin on Unsplash I was delighted to see a recent preprint that mentioned Sigstore appear on the IACR’s Cryptology ePrint Archive. The reason that we published an academic paper, Sigstore: Software Signing for Everybody, was to encourage the scrutiny of the research community. Progress in the field of computer security only comes from the back-and-forth between proposed defenses and offensive analyses of those techniques, and we welcome third-party analysis of the project.

Tags:  sigstorepython

Dec 23, 2022

Written by Sigstore

Sigstore December Roundup

“And lo, in the land of software package management, a system was born to bring order and trust. Sigstore was its name, and its mission was to sign packages with short-lived certificates, validated by a powerful OIDC provider. These signed packages were then placed in a transparency database for all to see, like a holy book open for all to read and verify. Sigstore was a beacon of hope in a chaotic world, shining brightly as a protector of software integrity.

Tags:  sigstoresecuritysoftwaresupplychainsupplychainsecuritynpm

Dec 20, 2022

Written by developer-guy

How to become the next Sigstore Evangelist?

How to become the next Sigstore Evangelist? My story began by seeking a solution for signing container images at my company Trendyol. You will appreciate that few solutions were available at that time, almost two years ago. The only solution was DCT (Docker Content Trust) based on a Notary project, which is an implementation of the TUF (The Update Framework) specification, which allows you to verify both the integrity of the image and the publisher of all the data received from a registry by creating and using digital signatures.

Tags:  sigstorecosignsigstoreconevangelistbestsigstoreevangelist

Dec 15, 2022

Written by sigstore

Securing Your Software Supply Chain Without Changing Your DevOps Workflow

*This is a Sigstore case study contributed by Tobias Trabelsi of* *DB Schenker* DevOps has transformed the way software is built. The practice is ubiquitous, and organizations, big and small, use this approach to streamline development and accelerate release cycles. Many DevOps tools are created and supported by the open source community, but some companies shy away from these applications, preferring enterprise products with 24/7 support and established companies behind them.

Tags:  sigstoredevopscosignsupplychainsecurity

Dec 13, 2022

Written by Zachary Newman, Marina Moore

Signatus, ergo securus? Who can sign what with TUF and Sigstore

Photo by Brett Jordan on Unsplash Sigstore is an open-source project and service run by the OpenSSF to make signing software easy! Before Sigstore, a developer who wanted to sign software needed to manage a GPG key. With Sigstore, they can use their identity (for instance, a Gmail account) to sign. It also brings transparency: actions must be posted on a public log, so they can be audited to detect bad behavior and to analyze damage after-the-fact.

Tags:  sigstoresoftwaresupplychainidentitytufintoto