Attempting To Secure The Open Source Software Supply Chain, Sigstore Reaches GA
With a goal to protect the open source software supply chain, Sigstore, which is backed by Google, Red Hat, GitHub, and other well-known companies, has reached public availability and released the “v1.0” versions for its core software components.
The v1.0 versions of Sigstore’s Rekor transparency log and Fulcio certificate authority software were released this week as part of the company’s general availability milestone celebration. For the purposes of software artefact signing and verification, Sigstore now believes itself to be production-grade.
Sigstore offers methods for quickly and cryptographically-backed code signing, transparency log-based signature verification, and activity monitoring for securely vetting the software supply chain. Sigstore provides the following self-description on its project website:
“sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software. A standardized approach. This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious.”
The Google Open Source Blog and the Sigstore blog both include additional information about Sigstore’s broad release this week.