Zero-trust security starts with trusting actual entities based on strong identity, not whoever happens to control a secret, or whoever gets behind a firewall. No secrets sounds great in theory! It even sounds a bit magical. How can we authenticate without any secrets? In reality you can’t but you move the secrets around a bit and change how they work to get a similar effect.

Photo by Matias T on Unsplash

One common technique here is called , which leverages rather than explicit, fixed secrets. We’re excited to announce that is now fully supported in Project Sigstore! …

TOFU is an OK substitute for when you have nothing better, but it’s never the best choice.

Before you get upset, I’m not talking about the coagulated soy-bean excretion often served fried, I’m talking about the Trust-On-First-Use authentication scheme. Just like the food, there are times to reach for TOFU, but too much of it might not be the best for your health. This post dives into when TOFU works, when it doesn’t and some mitigations that make use of transparency logs.

Photo by Jana Leu on Unsplash

What is TOFU?

TOFU is an authentication system used to bootstrap trust between two entities on an untrusted network. Pretend you’re at a crowded train station looking for someone you’re supposed to meet named Alice to exchange a…

Envelopes and Wrappers and Formats, Oh My!

There are a bunch of confusing formats and specifications that describe how to, well, format signatures and related information. This topic is confusing because terminology is hard and each specification tackles things at slightly different levels of abstraction, from slightly different angles. This blog post tries to explain them all, with a few recommendations for specific use cases.

Photo by Cytonn Photography on Unsplash

This is mostly focused on the use of signatures in the context of supply chain security. This means signing artifacts, metadata, and code. Some information might be useful here in other contexts, but I make no promises.

Digital Signature Basics

Before we get into this…

Making TUF… Not so Tough?

This is a technical update on how we’re integrating The Update Framework into the Sigstore projects and infrastructure. If you’re not familiar with TUF, please consider reading this overview first!

Photo by Sara Cervera on Unsplash

A Delicious TUF sandwich

We use TUF in the Sigstore project to protect our own keys and infrastructure, but we’re also hoping to make it possible for end users to use TUF on their own, using the Sigstore tools. I call this the TUF sandwich!

Sigstore Root

The top slice in the sandwich is the Sigstore root of trust. We created this initial root during the key ceremony we performed back in June, and it consists…

It’s not their fault your build broke!

Open Source package managers are one of the most maligned pieces of software in common use today. I’m here to correct that criticism and tell developers that it’s not the package managers you hate — it’s what they’ve made you become. This contains a bit of a history lesson to explain how we got here today, as well as what I think the package management world will look like in the future.

Photo by CHUTTERSNAP on Unsplash

What Is A Package Manager?

A package manager is anything developers run to install packages! This category includes language-level package managers like , , , , , , , etc. This category…

And other Sigstore July Updates!

The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. The community support has been incredible! We’ve added 7 maintainers from 5 organizations, and have merged 394 commits from 32 contributors across 10 organizations. Cosign has been tested on 13 OCI registries and is now packaged in five different package managers. We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.0, which is ready for production use!

Photo by Kirill Sh on Unsplash

This means that the core feature set of signing…

Best Practices for Supply Chain Security

This blog post covers some best practices to keep in mind when generating metadata for supply chain security and policy systems. The advice here is generic, but will use vulnerability scans as an example to explain some of the concepts. This post will cover:

  • Signatures vs. Attestations
  • Supply Chain Provenance
  • How to design safe policy systems
  • How to think about vulnerability scans and deployment policy
Photo by Glenn Carstens-Peters on Unsplash


Policy engines like OPA/Gatekeeper, Kyverno, and Kubewarden play a critical role in software supply chain security by giving teams control over what can run in a production environment. They can be used to restrict user…

Note: This is current as of July 16th 2021

Photo by Hello I'm Nik on Unsplash

Let’s say you build and push a container image to a registry, and then you generate an SBOM, a signature, or anything else relevant to that image. You can easily store those other objects in a registry as well, but there’s no good way to indicate that those objects “refer” to the original image. If you have the image URL, you can’t automatically retrieve or lookup all the things that “refer” to it.

There are some workarounds for this that you can use today, but there are also a few different…

Maybe, but probably for a different reason than you think

TLDR; If you’re using GitHub, signing your commits is slightly better than not signing them. But probably not for the reason you think. The answer might shock you!

Photo by Jon Tyson on Unsplash

Let’s start with what most people thinking signing your commits does:

Things are speeding up!

Another month, another set of exciting updates! The Sigstore community has been working at a ferocious pace to harden our platforms and tools, while working on the larger picture of supply-chain security. The pieces are coming together, and the bigger vision of OSS supply chain transparency is getting a little less blurry.

Photo by Ran Berkovich on Unsplash

This means the Sigstore community is starting to engage deeper in our peer communities as we integrate and share knowledge in both directions. We want to thank them all for their help! In particular, the TektonCD, In-Toto, TUF, SPIFFE/SPIRE and CNCF TAG Security groups have been immensely helpful…

Dan Lorenc

Software Engineer at Google

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store