How to become the next Sigstore Evangelist?

How to become the next Sigstore Evangelist? My story began by seeking a solution for signing container images at my company Trendyol. You will appreciate that few solutions were available at that time, almost two years ago. The only solution was DCT (Docker Content Trust) based on a Notary project, which is an implementation of the TUF (The Update Framework) specification, which allows you to verify both the integrity of the image and the publisher of all the data received from a registry by creating and using digital signatures.

Securing Your Software Supply Chain Without Changing Your DevOps Workflow

*This is a Sigstore case study contributed by Tobias Trabelsi of* *DB Schenker* DevOps has transformed the way software is built. The practice is ubiquitous, and organizations, big and small, use this approach to streamline development and accelerate release cycles. Many DevOps tools are created and supported by the open source community, but some companies shy away from these applications, preferring enterprise products with 24/7 support and established companies behind them.

Signatus, ergo securus? Who can sign what with TUF and Sigstore

Photo by Brett Jordan on Unsplash Sigstore is an open-source project and service run by the OpenSSF to make signing software easy! Before Sigstore, a developer who wanted to sign software needed to manage a GPG key. With Sigstore, they can use their identity (for instance, a Gmail account) to sign. It also brings transparency: actions must be posted on a public log, so they can be audited to detect bad behavior and to analyze damage after-the-fact.

New Sigstore Landscape: Add your signed project

A Sigstore section was added to the Open Source Security Foundation (OpenSSF)’s Landscape. The aim of the Sigstore Landscape is to show the collection of technologies that make up the project’s growing ecosystem. This gives everyone a great overview of how everything fits together. Landscape Sections The Sigstore Landscape currently has seven different sections. Architecture/Spec Sigstore is a new standard for signing, verifying and protecting software. It can be used to make sure your software is what it claims to be.

Using Sigstore to meet FedRAMP Compliance at Autodesk

This is a Sigstore case study contributed by Jesse Sanford of Autodesk In today’s *-as-a-Service world, platforms are everywhere. Products as complex as entire operating systems and as simple as shared libraries are built and maintained on them. As software engineers, we leverage them for common capabilities. This allows us to focus on our customer needs and leave other cross-cutting concerns to the subject matter experts. Typically, security and compliance capabilities are particularly well suited for being delegated to the platform.