Sigstore has announced the general availability of its free software signing service that gives open source communities access to stable, production-quality services for signing and verifying artifacts.
Announced today at SigstoreCon, the GA finally removes the last barrier that stood before the widespread adoption of its supply chain security solution. The Kubernetes and Python communities have already adopted Sigstore’s wax seal of authenticity by signing their production releases with Sigstore, and npm looks set to follow shortly.
According to Unpleasant Zach Steindler, program manager for npm integration:
“Sigstore will enable a new security capability in the npm ecosystem – a reliable way to link a package back to its source code and build instructions. Te GA means we can rely on it during production, which in turn gives our users more confidence that npm packages contain what they claim. This couldn’t be more timely as everyone is looking to improve software supply chain security. ”
The GA status makes it possible for any open source project out there and not just the elite to get on board, denoting the stability and reliability needed for adoption; Sigstore has your back. The service is free to use for all developers and software vendors, with the sigstore code and operating tools developed by the sigstore community.
As a refresher, the Sigstore ecosystem consists of:
For signing, verifying and storing containers in an Open Container Initiative (OCI) registry, making signatures an invisible infrastructure.
A built-in transparency and timestamping service, Rekor records signed metadata in a ledger that can be searched, but not tampered with.
- Open ID Connect
A layer of identity that checks that you are who you say you are. It allows customers to request and receive information about authenticated sessions and users.
A free root certificate authority, which issues temporary certificates to an authorized identity and publishes them in the Rekor transparency log.
- Certificate Authority
A mechanism that generates certificates, binds cryptographic keys to an identity, and performs an independent check of an artifact’s information.
- Trust the root
The foundation of trust behind the whole of sigstore, our key holders and practices to protect the root keys.
This ecosystem enables software developers to securely sign software artifacts such as release files, container images, and binaries, the signing material of which is then stored in the tamper-resistant public log.
I recently reviewed another such tool, Gitsign:
Since everyone is on Git, what better way to start signing the first artifacts of the supply chain, the commits? While Sigstore had released tools for signing containers and binaries, there was nothing for signing git commits. This is about to change with Gitsign, which allows you to keyless sign your commits using your GitHub/OIDC identity.
Not only does this relieve you of the burden of managing the keys yourself, it also addresses the issue of those keys often being written into the source of the repo itself, effectively canceling the signing process.
But container security isn’t left out of the picture either, with Chainguard, the co-creator of Sigstore, launching Wolfi, a community Linux (un)distribution built with the standard security measures needed to secure the software supply chain:
The drive for integrity and transparency in the software supply chain has left organizations struggling to build software security measures such as signatures, provenance, and SBOMs into older systems and existing Linux distributions. To that end, Sigstore is good, but requires manual labor. There must be a better way to utilize the facilities.
And what could be better than packing all the work into an immutable container? Chainguard’s new Linux (un)distribute and build toolchain, Wolfi, does just that. It produces container images that meet the requirements of the secure software supply chain; those are images already signed and sensible defaults.
But the tools mean nothing without documentation and training to apply them to real use cases. That’s why the Linux Foundation, in partnership with Chainguard, has launched a new course to train developers in:
Chapter 1. Introducing Sigstore
Chapter 2. Cosign: Signing, verification and storage of containers in an OCI registry
Chapter 3. Fulcio: A New Kind of Root Certificate Authority for Code Signing
Chapter 4. Rekor: Software Supply Chain Transparency Log
Chapter 5. Sigstore: Using the Tools and Getting Involved in the Community
With all that effort and the GA of the recent service, consumers of OSS should start to feel much safer. . .
Protect the software supply chain with Gitsign
Wolfi Linux (On)Distribution secures the software supply chain
Secure your software supply chain with this free course
To stay up to date with new articles about I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on tweeting, Facebook or LinkedIn.
or email your comment to: email@example.com