Dec 13, 2022

Written by Zachary Newman, Marina Moore

Signatus, ergo securus? Who can sign what with TUF and Sigstore

Photo by Brett Jordan on Unsplash Sigstore is an open-source project and service run by the OpenSSF to make signing software easy! Before Sigstore, a developer who wanted to sign software needed to manage a GPG key. With Sigstore, they can use their identity (for instance, a Gmail account) to sign. It also brings transparency: actions must be posted on a public log, so they can be audited to detect bad behavior and to analyze damage after-the-fact.

Tags:  sigstoresoftwaresupplychainidentitytufintoto

Nov 30, 2022

Written by sigstore

New Sigstore Landscape: Add your signed project

A Sigstore section was added to the Open Source Security Foundation (OpenSSF)’s Landscape. The aim of the Sigstore Landscape is to show the collection of technologies that make up the project’s growing ecosystem. This gives everyone a great overview of how everything fits together. Landscape Sections The Sigstore Landscape currently has seven different sections. Architecture/Spec Sigstore is a new standard for signing, verifying and protecting software. It can be used to make sure your software is what it claims to be.

Tags:  sigstorerekorcosignopenssfsoftwaresupplychain

Nov 23, 2022

Written by Sigstore

Using Sigstore to meet FedRAMP Compliance at Autodesk

This is a Sigstore case study contributed by Jesse Sanford of Autodesk In today’s *-as-a-Service world, platforms are everywhere. Products as complex as entire operating systems and as simple as shared libraries are built and maintained on them. As software engineers, we leverage them for common capabilities. This allows us to focus on our customer needs and leave other cross-cutting concerns to the subject matter experts. Typically, security and compliance capabilities are particularly well suited for being delegated to the platform.

Tags:  sigstorecicdsoftwaresupplychainsecurityautodesk

Nov 17, 2022

Written by Zachary Newman, John Speed Meyers, Santiago Torres-Arias

'Sigstore: Software Signing For Everybody' has been published in the proceedings of the ACM Computer and Communications Security Conference

Photo by Bank Phrom on Unsplash Sigstore: Software Signing for Everybody has been published at the 2022 ACM Computer and Communications Security (CCS) conference in Los Angeles, CA, an academic computer security conference, featuring publications from research universities around the world and industry labs at organizations like Google, Microsoft, Meta, and Amazon. This peer-reviewed research paper describes Sigstore, its security model, some data about its usage, and potential applications and is freely available under a CC-BY 4.

Tags:  sigstoreresearchpapercomputersecuritysoftwaresupplychain

Nov 10, 2022

Written by sigstore

Security by Default: How Verizon New Business Incubation Uses Sigstore to Demonstrate Provenance and Improve Customer Confidence

This is a Sigstore case study contributed by Aaron Bacchi of Verizon When people think of 5G networks, they typically think solely of the speed and bandwidth that distinguishes the 5G network from its predecessors. However, the real story is the innumerable applications and use cases that 5G makes possible. 5G technology can help entrepreneurs and enterprises create a host of new possibilities in the form of smart spaces — cities, buildings, and homes — where high-speed wireless connectivity, combined with robotics and automation tools, can transform the world we live in and the way we live in it.

Tags:  sigstoreslsasupplychainsecurityopensource5g