Sigstore February Roundup

Welcome to the February edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings.

Events

KubeCon Europe 2024

The next KubeCon Europe will be held on 19th – 22nd March.

There are several Sigstore related talks and events planned for KubeCon Europe, including:

Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo
Navigating the Software Supply Chain Defense Landscape - Marina Moore & Aditya Sirish A Yelgundhalli, New York University
Contribfest: Enable Additional Signing Mechanisms for TUF and in-toto: No Cryptography Skills Required

Open Source Summit North America 2024

The next Open Source Summit North America will be held on April 16th – 18th

There are a few Sigstore related talks planned:

SOSS Community Day North America 2024

Previously called OpenSSF Day, SOSS Community Day North America will be held on April 15th

There are several Sigstore talks planned:

Sigstore Community Meeting

The last Sigstore Community Meeting was held on the February 20th.

You can watch a recording of the meeting here

The next Sigstore Community Meeting will be held on March 5th.

To join the meeting, please see the meeting details

Please do come along, all are welcome!

Interesting Discussions and Developments

Sigstore Graduation Review

Sigstore will go forward for Graduation Review in the OpenSSF TAC meeting on March 5th. This is a significant milestone for the project and we are excited to see the outcome. The pull request for the graduation review can be found here

Latest Releases

This month has not seen any major releases, but there have been a number of minor releases across the various Sigstore projects.

Fulcio v1.4.4

The Fulcio library has been updated to v1.4.4. This release includes the addition of a production OIDC provider for Eclipse, and some minor bug fixes and changes such as changing the parseExtension function to be public, exposing the metrics port to be overridden, and the addition of a configurable idle timeout.

Read the release notes here

Rekor v1.3.5

Logs timestamps now have nanosecond precision, support was added for sha384/sha512 hash algorithms in hashedrekords, additional DB unique index correction

Read the release notes here

sigstore-go v0.2.0

v0.2.0 of sigstore-go includes an updated TUF client. This also updates verification to require specifying both the certificate issuer and SAN.

Read the release notes here

sigstore v1.8.2

The sigstore library has been updated to v1.8.2

Support was added for an Ed25519ph Signer/Verifier and autoclosing the oauth flow window.

Client credentials are now supported as an OIDC Auth Flow Provider.

Read the release notes here

Timestamp v1.2.2

The timestamp-authority library has been updated to v1.2.2. Just a minor release for a bug fix around a Go checksum database error on installation due to deleting a tag

Read the release notes here

In the News / Community

Caleb Woodbine wrote a blog titled “Sign, Verify and Trust with Cosign” read more
The Opensource Minder project on how they are using Sigstore to verify cryptographic provenance. read more
A stream was hosted by Viktor Farcic and Whitney Lee on “Signing Artifacts - Feat. Notary, Sigstore, and Open Policy Containers” watch here

Join the Community!

New contributors and users are always welcome into our community. We take pride in being friendly to new folks and fostering a welcoming and safe environment. Being a large open source project, there is always so much to do, not all of them being complex coding tasks.

Valued contributions include: helping with documentation, general testing, and sharing your love of Sigstore with others.

Join our Slack workspace and come say hello! 👋