Interesting tidbit; sigstore was originally going to be called 'rekor' (the entire ecosystem). I was chatting with the The Linux Foundation about donation at the time. We hit possible legal bumps as a traffic monitoring company used the name rekor...

Frederic 🧊 Branczyk @[email protected] This is a benefit of attaching signed provenance outside the image. We use sigstore and it works great.

Getting reproducible image builds was one of the (many!) reasons we built our own tools for it, more about it here chainguard.dev/unchained/desi…

Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, from Yahoo youtube.com/watch?v=Tp-t_7…

Supply chain security took a giant leap forward this month as Sigstore officially became a graduated project within the OpenSSF. This milestone is a testament to Sigstore’s maturity, adoption. Learn more about Sigstore & how to get involved: openssf.org/blog/2024/03/2…
#OSSSecurity

To clarify, update cosign versions older than v2.2.0

Anyone using Cosign v1.x, please update to Cosign v2 or download the upcoming v1.13.3 release. We are rolling out a new TUF Trust Root blog.sigstore.dev/tuf-root-updat…

Sigstore - An OpenSSF Graduated Project blog.sigstore.dev/sigstore-opens…

February update blog:

blog.sigstore.dev/sigstore-feb24…

sigstore is now an openssf graduated project 🎉 github.com/ossf/tac/pull/…

Care (even a little bit) about using verified software? Watch this InfoQ presentation (or read the transcript) to get smarter on the important sigstore effort.

infoq.com/presentations/…

sigstore up for graduation github.com/ossf/tac/pull/…

Next week me and Valentin Hristev will speak about #containers and how to secure deployments and how you can utilize Project Harbor build in features like signing with #cosign from sigstore and implement blocking if Aqua Trivy finds something 🧀 in the image! :) #meetup

Now in Minder—new ways to help you secure your artifacts. Configure custom / private sigstore instances; do more expressive provenance checks; and use our pre-built policies to secure GitHub Actions workflows. stacklok.com/blog/4-ways-to…

Sigstore is aimed to ensure privacy & scalability, integrates technologies for seamless signing, verification, & provenance checks. 🔏 Explore how Yahoo utilizes #Sigstore alongside Athenz as an internal Certificate Authority for container image security: openssf.org/case-studies/2…

Our January roundup blog is now live: blog.sigstore.dev/sigstore-janua…

Very nice talk by Mihai Maruseac which proposes already existing solutions such as SLSA or sigstore to secure AI/ML the same way as traditional software PackagingCon

🚀 The sigstore-go library just cut its first release. The library now has sigstore bundle & rekor verification, Timestamp Authority verification , TUF support and more. Thanks to all community members working on this!
github.com/sigstore/sigst…

Official Bandit Scanner images are now available: github.com/PyCQA/bandit/p… , signed with sigstore

go-witness now support signing and verifying policy with sigstore

github.com/in-toto/go-wit…

Proud of the work we've done with Eclipse Foundation on integrating sigstore into their build pipelines! blogs.eclipse.org/post/mika%C3%A…