sigstore, the free digital signing service for open source supply chain security, gets additional support
Kristin OConnell | 04 November 2021
Open source software tools and services are often created quickly and out of necessity. Linus Torvalds, for example, created the first version of git in a weekend when the Linux kernel team could no longer use BitKeeper for Source Control Management.
sigstore was created earlier this year to address the massive gap for an easy, trustable and efficient digital signing tool to confirm the provenance (origin) of software. Since March 2021 sigstore has been growing rapidly and is being used for various projects. This includes Kubernetes, one of the world’s largest open source projects.
But like Let’s Encrypt and the Linux Kernel, sigstore requires resources. Building the first version of the tool is different from bringing together resources to enable widespread adoption and support it for the long term. That’s why we’re excited to announce today that the project has received generous contributions from Chainguard, Cisco, HPE, Google, Red Hat and VMware to conduct an extensive security audit and hire a full-time developer relations engineer.
The reality is that today the majority of software isn’t digitally signed. Without signatures, there’s little evidence of the software’s provenance, so most software consumed is cryptographically untrusted. With sigstore, developers can digitally sign containers, artifacts, config-as-code, policy, and any given computer file. sigstore has the potential of becoming to digital signing what Let’s Encrypt is to HTTPS.
“By working to eliminate the requirements for specialized skills in cryptography, sigstore is committed to establishing trust and transparency in the open source supply chain. Removing this exclusivity is key to increasing developers’ access to cryptographic signing and creating an open log for accountability. Red Hat is proud to support sigstore’s constant commitment to open source in the supply chain security space,” said Luke Hinds, Senior Principal Software Engineer, Red Hat.
For more information about sigstore, please visit: https://blog.sigstore.dev/
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.