Welcome to the January edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings.
Events
KubeCon Europe 2024
The next KubeCon Europe will be held on 19th – 22nd March.
There are serveral Sigstore related talks and events planned for KubeCon Europe, including:
- Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo
- Navigating the Software Supply Chain Defense Landscape - Marina Moore & Aditya Sirish A Yelgundhalli, New York University
- Contribfest: Enable Additional Signing Mechanisms for TUF and in-toto: No Cryptography Skills Required
FOSDEM 2024
The next FOSDEM will be held in Brussels, Belgium on the 3rd & 4th February 2024 along with a talk on Sigstore and SLSA by John Viega.
Sigstore Community Meeting
The last Sigstore Community Meeting was held on the January 23rd.
You can watch a recording of the meeting here
The next Sigstore Community Meeting will be held on February 6th.
To join the meeting, please see the meeting details
Interesting Discussions and Developments
Cryptographic Agility
Some very interesting work is happening in the Sigstore community around cryptographic agility. This includes support of further signature algorithms and the integration of post-quantum signatures schemes.
Community member William Woodruff had this to say about the work:
Over the past month, we’ve revisited the Configurable Crypto Algorithms proposal and have begun to work towards signature algorithm agility on various core Sigstore codebases (Fulcio, Rekor, cosign, sigstore-go, and the protobuf-specs). We’ve already made significant progress towards enabling agility within a safe set of signature suites, and are quickly moving towards a state where the public Sigstore instances will be able to handle Ed25519 keypairs and signatures. Longer term, we’ll be using that agility to investigate integrations of post-quantum signatures schemes, including hash-based signature schemes like LMS and LM-OTS (the latter being a perfect fit for Sigstore’s “keyless” model).
The original proposal can be found here
sigstore-python: DSSE support has landed!
Support for DSSE has been added to the sigstore-python library. This is a significant milestone for the project. The DSSE support is currently in a pre-release state and we welcome all feedback and contributions.
For those unfamiliar with DSSE (Dead Simple Signing Envelope), it is a protocol for signing and verifying software artifacts using an embedded payload that is passed over with a signature. This is in contrast to the traditional detached signature approach.
You can view the pull request here
A release will be made shortly.
Latest Releases
This month has not seen any major releases, but there have been a number of minor releases across the various Sigstore projects.
sigstore-go v0.1.0
The initial release of Initial sigstore-go has been shipped!!
https://github.com/sigstore/sigstore-go/releases/tag/v0.1.0
sigstore v1.8.1
The sigstore library has been updated to v1.8.1.
https://github.com/sigstore/sigstore/releases/tag/v1.8.1
Timestamp v1.2.1
The timestamp-authority library has been updated to v1.2.1.
https://github.com/sigstore/timestamp-authority/releases/tag/v1.2.1
User adoption
- The Bandit Project is now using sigstore to sign their releases. read more
In the News
- Yahoo using Sigstore-based signing with their own PKI infrastructure
- Eclipse added as a trusted identity provider, enabling Sigstore with Eclipse’s Jenkins instances
Join the Community!
New contributors and users are always welcome into our community. We take pride in being friendly to new folks and fostering a welcoming and safe environment. Being a large open source project, there is always so much to do, not all of them being complex coding tasks.
Valued contributions include: helping with documentation, general testing, and sharing your love of Sigstore with others.
Join our Slack workspace and come say hello! 👋