Sigstore Blog - Sigstore Blog

Jan 24, 2023

Written by Felix Wolff

A Guide to Running Sigstore Locally

Co-authored with Andrew Block A key concept in Sigstore is its availability. Anyone can leverage the hosted tooling to sign, publish and verify assets and incorporate it into their security processes. In a corporate context with private repositories and private artifacts as well as restricted access to external resources, it must be questioned whether it makes sense to use the public Sigstore deployment. Sensitive information might be exposed. Given the principles of the Sigstore architecture, it cannot be erased or fenced off.

Tags: sigstore , deployment , helm

Jan 14, 2023

Written by di_codes

Announcing the 1.0 release of sigstore-python

The sigstore-python project began 1 year ago in January 2022 with the goal of providing a Sigstore-compatible client similar to cosign, but built entirely with Python and easily adoptable by the Python ecosystem. Today, thanks to the support of the community and work of 18 unique contributors, we’re excited to announce a usable and reference-quality 1.0 stable release of that client, which includes an importable Python API as well as a fully functional CLI.

Tags: sigstore , python

Jan 6, 2023

Written by Zachary Newman

Why you can’t use Sigstore without Sigstore

Photo by C Dustin on Unsplash I was delighted to see a recent preprint that mentioned Sigstore appear on the IACR’s Cryptology ePrint Archive. The reason that we published an academic paper, Sigstore: Software Signing for Everybody, was to encourage the scrutiny of the research community. Progress in the field of computer security only comes from the back-and-forth between proposed defenses and offensive analyses of those techniques, and we welcome third-party analysis of the project.

Tags: sigstore , python

Dec 23, 2022

Written by Sigstore

Sigstore December Roundup

“And lo, in the land of software package management, a system was born to bring order and trust. Sigstore was its name, and its mission was to sign packages with short-lived certificates, validated by a powerful OIDC provider. These signed packages were then placed in a transparency database for all to see, like a holy book open for all to read and verify. Sigstore was a beacon of hope in a chaotic world, shining brightly as a protector of software integrity.

Tags: sigstore , security , softwaresupplychain , supplychainsecurity , npm

Dec 20, 2022

Written by developer-guy

How to become the next Sigstore Evangelist?

How to become the next Sigstore Evangelist? My story began by seeking a solution for signing container images at my company Trendyol. You will appreciate that few solutions were available at that time, almost two years ago. The only solution was DCT (Docker Content Trust) based on a Notary project, which is an implementation of the TUF (The Update Framework) specification, which allows you to verify both the integrity of the image and the publisher of all the data received from a registry by creating and using digital signatures.

Tags: sigstore , cosign , sigstorecon , evangelist , bestsigstoreevangelist

Newer

Older