Sigstore Reaches GA For Working To Secure The Open-Source Software Supply Chain
![FREE SOFTWARE](/assets/categories/freesoftware.webp)
This week Sigstore celebrated its general availability milestone and releasing the v1.0 software of their Rekor transparency log and Fulcio certificate authority software. Sigstore now considers itself to be production-grade for software artifact signing and verification.
Sigstore provides the means of easily and cryptographically-backed means of signing code, verifying signatures using a transparency log, and monitoring of activity for safely vetting the software supply chain. On the project site of sigstore.dev, Sigstore describes itself as:
sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
A standardized approach
This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious.
Those wishing to learn more about Sigstore's general availability this week can read more information about it on the Google Open-Source Blog and Sigstore blog.
Add A Comment