Apr 19, 2023

Written by The Sigstore Technical Steering Committee

Sigstore Support in npm launches for Public Beta

We’re thrilled to announce that the npm project has launched a public beta, bundling Sigstore support directly into the npm Command-Line Interface (CLI). This innovation brings strong origin guarantees to the npm ecosystem and marks the first time that a large package registry technology is using public software signatures to attest to a package’s originating source code and build instructions. Sigstore is an OpenSSF project that enables developers to validate that the software they are using is exactly what it claims to be using cryptographic digital signatures and transparency log technologies.

Tags:  sigstorenpmsecuritynode

Feb 23, 2023

Written by Hayden Blauzvern

Cosign 2.0 Released!

Cosign 2.0 has arrived! Cosign 2.0 follows Sigstore’s General Availability launch, which offers production grade stable services for artifact signing and verification. Cosign’s most significant change is to no longer require COSIGN_EXPERIMENTAL=1, since the Sigstore services are now stable! By default, Cosign will fetch an identity-based certificate from Fulcio when a signing key is not provided, and upload the signature and signing key to Rekor to provide transparency. The following is the list of breaking changes:

Tags:  sigstorecosignsecurityopensource

Feb 10, 2023

Written by Mathieu Benoit

Cosign and Policy-controller with GKE, Artifact Registry and KMS

As soon as I came back from KubeCon NA 2022, my first ever in-person KubeCon, I felt re-energized. What a community, full of people eager to share knowledge and expertise with each others, so inspiring. I mostly attended sessions about security best practices for containers and Kubernetes (that’s what excites me these days!). Secure Software Supply Chain (S3C) was almost mentioned everywhere, for good reasons. Sigstore as a new standard for signing, verifying and protecting software, got its first own SigstoreCon as co-located event and hit the General Availability (GA) milestone.

Tags:  cosignsigstoresecuritykuberneteskms

Feb 4, 2023

Written by Sigstore

Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore

In October 2022, the Sigstore project announced the General Availability of its free software signing service giving open source communities access to production-grade services for artifact signing and verification. As the project matures, so do the language client integrations that are actively being developed. In January 2023, sigstore-python announced the 1.0 version of Sigstore for Python. The Java community has always taken a mature approach to security. So it should come as no surprise that there is plenty of activity towards integrating Sigstore into the existing ecosystem and offering first-class support for software signing and verification with Sigstore.

Tags:  sigstorejavagradlemaven

Feb 1, 2023

Written by Sigstore

Sigstore January Roundup

This month, we are thrilled to have announced the 1.0 release of sigstore-python. This project started a year ago to provide a Sigstore-compatible client similar to cosign, but built entirely with Python and easily adoptable by the Python ecosystem. A big thank you to all the contributors and maintainers for making it to 1.0! Read more Latest Blog Posts Thank you to Andrew, Felix and Zachary for contributing the following blog posts this month.

Tags:  sigstoresecuritysoftwaresupplychainsupplychainsecurityupdate