Sigstore is a Linux Foundation project developed by Google and Red Hat for code signing
Mar 10, 2021 00:30 EST with 0 comments
An inherent weakness of open source code is that it s difficult to determine its provenance and how it was built, which means that it s prone to supply chain attacks. Google aims to solve this problem which is why it has collaborated with Red Hat and Smallstep to introduce Sigstore (stylized sigstore ) in the Linux Foundation, making it easier to digitally sign and verify source code.
Additionally, all sigstore certifications and attestations are stored in Transparency Logs backed by Trillian, and can be viewed and audited by anyone. Google says that it understands the challenges behind long-term key management and key distribution so it will issue short-lived certificates based on OpenID Connect grants and a Root Certificate Authority (CA) for the express purpose of code signing.
Linux Foundation announces new open-source software signing service
zdnet.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from zdnet.com Daily Mail and Mail on Sunday newspapers.
Avec sigstore, la Fondation Linux va authentifier les services open source
lemondeinformatique.fr - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from lemondeinformatique.fr Daily Mail and Mail on Sunday newspapers.
La Fundación Linux, Red Hat y Google presentan sigstore que quiere evitar futuros ciberataques como el de SolarWinds
genbeta.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from genbeta.com Daily Mail and Mail on Sunday newspapers.
Linux Foundation Announces Free sigstore Signing Service to Confirm Origin and Authenticity of Software
Red Hat, Google and Purdue University lead efforts to ensure software maintainers, distributors and consumers have full confidence in their code, artifacts and tooling
News provided by
Share this article
Share this article
SAN FRANCISCO, March 9, 2021 /PRNewswire/ The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the sigstore project. sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.
sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling devel