Sigstore November Roundup


Sigstore GA

Sigstore is excited to announce General Availability (GA) for the Rekor transparency log and Fulcio certificate authority public benefit services! The community has been working hard all year to accomplish this milestone, and we are thrilled that open source communities can now confidently rely on Sigstore for production-grade stable services for artifact signing and verification.

Read the Full Post by the Technical Steering Committee

SigstoreCon Recap

SigstoreCon on October 25 in Detroit was Sigstore’s first-ever event and we’re so happy to say that it was a success!

Thank you everyone for the:

  • awesome talks; thank you to the speakers
  • full program covering various topics by a dozen different companies; thank you to the Program Committee
  • great organization; thank you to the Linux Foundation Events Team
  • energy; thank you to all our attendees

Watch the talk recordings

Sigstore Awards

🏆 At SigstoreCon we also hosted our first award ceremony!

The 2022 Sigstore Award Winners are…

Most Valuable Contributor

This award is for the individual who has made a huge impact to the project this year.

🏆 Asra Ali — Asra has built many of the fundamental components in Rekor, and her work on the Sigstore TUF root of trust has been so critical to the security and GA launch for Sigstore. Beyond contributing directly to Sigstore, Asra has done a lot to build on top of Sigstore too with her work on SLSA!

Best Evangelist

This award is for the individual who has gone above and beyond to spread the word about Sigstore

🏆 Batuhan (developer-guy) Apaydin — developer-guy has done amazing work spreading knowledge around Sigstore in many different ways (blog posts, tweets, meetups, videos) which have been instrumental in bringing newcomers to the community, helping them get up to speed faster and feel more comfortable.

Best User Adopter

This award is for the individual, team or organization who have adopted Sigstore and have shared their impactful story with others

🏆 SLSA GitHub Generators The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. This project is a key part of connecting Sigstore to the wider supply chain security ecosystem and has also been a key source of feedback on both feature enhancements as well as on regressions and issues in Sigstore services.

Congratulations! 🎉 And thank you for everything you’ve done for the Sigstore Community.

Python Continues to Embrace Sigstore

The new release of Python 3.11 was one of the most exciting Python releases in a while, not just for the significant speed upgrades, but also it is one of the first new versions of Python to be signed with Sigstore by default. Read more on Sigstore verification of Python Releases.

In addition, sigstore-python 0.7.0 was released this past month. This release now supports offline verification of Rekor entries, the ability to verify non-email identities, and more.

New Case Study

Brandon Gulla, CTO at Rancher Government Solutions, contributed a new Sigstore Case Study.

Read it: Sigstore Proves That Effective Supply Chain Security Doesn’t Have to Hurt

Blog: How Sigstore quickly patched an upstream vulnerability

Hayden Blauzvern contributed a blog post about a Sigstore vulnerability found in June by Joern Schneeweisz from the GitLab Security Research Team. Find out how it was fixed.

Latest Releases

Sigstore

Sigstore is currently on version 1.4.5.

Cosign

Cosign is container signing, verification and storage in an OCI registry. Its latest release is v1.13.1.

Fulcio

Fulcio issues code-signing certificates bound to OpenID Connect identities for use within the Sigstore ecosystem. Its most recent release is v1.0.0!

Gitsign

Keyless Git signing with Sigstore! Its latest release is v0.3.2.

Rekor

Rekor’s aims to provide an immutable tamper-resistant ledger of metadata generated within a software projects supply chain. Its latest release is v1.0.0!

Join the Community

Sigstore welcomes new contributors and users with open (source) arms. We take pride in being friendly to new folks and fostering a welcoming and safe environment. There is always lots to do for everyone, no matter your experience level (not all of them being complex coding tasks).

Valued contributions include:

  • helping with documentation
  • general testing
  • sharing your love of Sigstore (Tweet about us @sigstoreproject) 🐦

Join our Slack workspace!