Software supply chain quickly became a hot topic in the last few years, especially as the number of high-profile attacks increased and the White House got involved. Sigstore, an open source project supported by the likes of Google, GitHub, Chainguard and RedHat, has become somewhat of a standard for signing, verifying and protecting software projects — and the dependencies they use — to make sure that the software you install and run on your machines hasn’t been manipulated. These days, after all, there aren’t many software projects that don’t rely on at least one — and usually multiple — open-source libraries, which themselves probably rely on other libraries, too. And with many of these projects maintained by volunteers, they make for an easy target for hackers.
Today, at SigstoreCon, a co-located event at the CNCF’s KubeCon/CloudNativeCon conference in Detroit, the Sigstore community announced the general availability of its free software signing service for open source projects. Sigstore is already one of the fasted adopted open source projects ever, with more than 4 million signatures logged so far. Both the Kubernetes and Python communities use it to sign their releases. And npm, the popular JavaScript package manager, is currently in the process of integrating Sigstore to ensure the provenance of its packages.
“Sigstore has rapidly become the standard for signing, verifying, and protecting software, so it’s great to announce the general availability to remove one last barrier for more widespread adoption during a time when software supply chain security is more important than ever,” said Priya Wadhwa, a member of the Sigstore Technical Steering Committee and software engineer at Chainguard. “It is our hope that this next phase of Sigstore will empower the rest of the open source software ecosystem to gain increased confidence in adopting this technology and benefit from its reliable and stable experience.”
The Sigstore community promises a 99.5% uptime and pager support — more than most free projects can offer. Sigstore, it’s worth noting, is a nonprofit project that is funded under the Open Source Security Foundation. Sigstore itself consists of a number of projects for signing containers, saving that information in an immutable ledger and, of course, creating those certificates in the first place.
Sigstore launches free software signing and verification service for open source projects by Frederic Lardinois originally published on TechCrunch