Welcome to the November edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings.
Sigstore Google Season of Docs 2023 Case Study
A very comprehisive case study has been published on the Sigstore docs wiki about the Sigstore project’s participation in the 2023 program.
Thank you Lisa Tagliaferri for all your hard work on this and making it a success!
Rekor’s aims to provide an immutable tamper-resistant ledger of metadata generated within a software projects supply chain.
Check out the last major release v1.3.1, made since we last updated you.
- Enable GCP cloud profiling on rekor-server
- Move index storage into interface
- Add type of ed25519 key for TUF
- Allow parsing base64-encoded TUF metadata and root content
Cosign is container signing, verification and storage in an OCI registry. Its latest release is v2.2.1.
Some of the main new features include:
- Support basic auth and bearer auth login to registry
- COSIGN_PKCS11_IGNORE_CERTIFICATE environment variable to skip loading certificates into a PKCS11 key when set to “1”.
- Cosign triangulate now supports image digest retrieval from OCI registries
- Attach rekor bundle to a container image
- Add support outputting rekor response on signing
Keyless Git signing with Sigstore! Its latest release is v0.8.0.
- Add options for Rekor client, make public key fetcher configurable.
- Add gitsign initialize. (#321)
- Fix offline verification marshalling, add e2e tests.
Le’ts take a look at the latest releases / updates of the Sigstore libraries.
A Rust library for interacting with Sigstore. Its latest release is v0.7.3.
- sigstore-rs now supports use of a TUF trustroot. This allows for the use of a TUF repository as a trust root for verifying signatures.
Lots of new changes in the sigstore java library. Its latest release is v0.5.0
- BYOB-based SLSA-generator
- pkix der encoded key parsing
- Add accessors to trustroot
While not at its first release, development on the Go library is still ongoing!
Do check it out where there a lots of examples on using the library see here
The Python library is also still under active development. Check out the last major release v2.0.0, made since we last updated you.
- CLI: sigstore sign and sigstore get-identity-token now support the
–oauth-force-oob option; which has the same behavior as the
- Version 0.2 of the Sigstore bundle format is now supported
- API addition: VerificationMaterials.to_bundle() is a new public API for producing a standard Sigstore bundle from sigstore-python’s internal representation
- API addition: New method sign.SigningResult.to_bundle() allows signing applications to serialize to the bundle format that is already usable in verification with verify.VerificationMaterials.from_bundle()
sigstore-js is one of the our more mature libraries now, so changes are mostly bug fixes and minor improvements.
In the News
- JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source security drive read more
- Sigstore: Simplifying Code Signing for Open Source Ecosystems read more
- Stacklok Builds on Sigstore to Identify Safe Open Source Libraries read more
- Wind River Further Expands VxWorks RTOS Containers Leadership with Cosign Support read more
Join the Community!
New contributors and users are always welcome into our community. We take pride in being friendly to new folks and fostering a welcoming and safe environment. Being a large open source project, there is always so much to do, not all of them being complex coding tasks.
Valued contributions include: helping with documentation, general testing, and sharing your love of Sigstore with others.
Join our Slack workspace and come say hello! 👋