Cryptographic software assurance backed by Google, Red Hat, Purdue U
Share
Copy
The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release.
Signing code involves associating a cryptographic signature with a specific digital artifact – release files, container images, and binaries – so that the person using the software can check the code's signature to verify that the release is authentic and hasn't been altered by someone along the way.
"Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," said Luke Hinds, security engineering lead in Red Hat's office of the CTO, in a statement.