Sigstore GA
Sigstore is excited to announce General Availability (GA) for the Rekor transparency log and Fulcio certificate authority public benefit services! The community has been working hard all year to accomplish this milestone, and we are thrilled that open source communities can now confidently rely on Sigstore for production-grade stable services for artifact signing and verification.
Read the Full Post by the Technical Steering Committee
SigstoreCon Recap
SigstoreCon on October 25 in Detroit was Sigstore’s first-ever event and we’re so happy to say that it was a success!
Loved the message from @AsraEntr0py’s talk at #SigstoreCon. We need identity and transparency for everything that happens in the supply chain. Lots of great projects helping with this already ❤️ pic.twitter.com/f7nu4dP62U
— Dan Luhring (@danluhring) October 25, 2022
Thank you everyone for the:
- awesome talks; thank you to the speakers
- full program covering various topics by a dozen different companies; thank you to the Program Committee
- great organization; thank you to the Linux Foundation Events Team
- energy; thank you to all our attendees
Sigstore Awards
🏆 At SigstoreCon we also hosted our first award ceremony!
The 2022 Sigstore Award Winners are…
Most Valuable Contributor
This award is for the individual who has made a huge impact to the project this year.
🏆 Asra Ali — Asra has built many of the fundamental components in Rekor, and her work on the Sigstore TUF root of trust has been so critical to the security and GA launch for Sigstore. Beyond contributing directly to Sigstore, Asra has done a lot to build on top of Sigstore too with her work on SLSA!
Best Evangelist
This award is for the individual who has gone above and beyond to spread the word about Sigstore
🏆 Batuhan (developer-guy) Apaydin — developer-guy has done amazing work spreading knowledge around Sigstore in many different ways (blog posts, tweets, meetups, videos) which have been instrumental in bringing newcomers to the community, helping them get up to speed faster and feel more comfortable.
Best User Adopter
This award is for the individual, team or organization who have adopted Sigstore and have shared their impactful story with others
🏆 SLSA GitHub Generators The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. This project is a key part of connecting Sigstore to the wider supply chain security ecosystem and has also been a key source of feedback on both feature enhancements as well as on regressions and issues in Sigstore services.
Congratulations! 🎉 And thank you for everything you’ve done for the Sigstore Community.
Python Continues to Embrace Sigstore
The new release of Python 3.11 was one of the most exciting Python releases in a while, not just for the significant speed upgrades, but also it is one of the first new versions of Python to be signed with Sigstore by default. Read more on Sigstore verification of Python Releases.
Python 3.11 was just released, and uses @trailofbits' work on sigstore-python (under @projectsigstore) to publish certificates and signatures!
— William Woodruff (1.3.6.1.4.1.55738) (@8x5clPW2) October 24, 2022
I'm extremely proud to have been a part of this work, alongside @di_codes, Alex Cameron, and many others!https://t.co/v8tlweQSsH pic.twitter.com/Z2gwxZrol1
In addition, sigstore-python 0.7.0 was released this past month. This release now supports offline verification of Rekor entries, the ability to verify non-email identities, and more.
New Case Study
Brandon Gulla, CTO at Rancher Government Solutions, contributed a new Sigstore Case Study.
Read it: Sigstore Proves That Effective Supply Chain Security Doesn’t Have to Hurt
Blog: How Sigstore quickly patched an upstream vulnerability
Hayden Blauzvern contributed a blog post about a Sigstore vulnerability found in June by Joern Schneeweisz from the GitLab Security Research Team. Find out how it was fixed.
Latest Releases
Sigstore
Sigstore is currently on version 1.4.5.
Cosign
Cosign is container signing, verification and storage in an OCI registry. Its latest release is v1.13.1.
Fulcio
Fulcio issues code-signing certificates bound to OpenID Connect identities for use within the Sigstore ecosystem. Its most recent release is v1.0.0!
Gitsign
Keyless Git signing with Sigstore! Its latest release is v0.3.2.
Rekor
Rekor’s aims to provide an immutable tamper-resistant ledger of metadata generated within a software projects supply chain. Its latest release is v1.0.0!
Join the Community
Sigstore welcomes new contributors and users with open (source) arms. We take pride in being friendly to new folks and fostering a welcoming and safe environment. There is always lots to do for everyone, no matter your experience level (not all of them being complex coding tasks).
Valued contributions include:
- helping with documentation
- general testing
- sharing your love of Sigstore (Tweet about us @sigstoreproject) 🐦
Join our Slack workspace!