Sigstore, backed by Google, Red Hat, GitHub and other leading organizations in an effort to secure the open source software supply chain, has reached general availability and released “v1.0” versions for their key software components.
This week, Sigstore celebrated its general availability milestone and the release of v1.0 software for its Rekor Transparency Log and Fulcio CA software. Sigstore now sees itself as a production tool for signing and verifying software artifacts.
Sigstore provides the means to easily and cryptographically sign code, verify signatures using a transparency log, and monitor activity to securely verify the software supply chain. On the project site of sigstore.devSigstore describes itself as:
sigstore is a set of tools that developers, software maintainers, package managers, and security experts can benefit from. Bringing together free open source technologies like Fulcio, Cosign, and Rekor, it handles the digital signing, verification, and provenance checks needed to make the distribution and use of open source software safer.
A standardized approach
This means that open source software downloaded for distribution has a stricter, more standardized way of verifying who was involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a build and slip something malicious into it.