Kubernetes 1.24 will be the first release officially using Sigstore, enabling seamless verification of signatures to protect against supply chain attacks across the 5.6m developer community The Kubernetes and Sigstore communities today are announcing that Kubernetes is adopting Sigstore in production for signing artifacts and verifying signatures, enabling Kubernetes users…

We started the Sigstore project with a goal of making key management, certificates, and digital signatures accessible and easy to use for every developer and language community. It’s incredibly exciting to see our tooling and services used by new ecosystems, so we were thrilled to see the recent RFC from Shopify around improving the signing mechanisms on RubyGems using Sigstore. On behalf of the Sigstore community, we’d like to affirm that we’re here to help with this RFC in any way we can! We’re happy to make changes to Sigstore itself, or to collaborate on whichever new tools, services, or libraries are needed to make this effort successful.

I hope this post can help reduce confusion around exactly how Sigstore’s trust model works, and how trust flows from the community root down to each short-lived certificate. For more background, read A Deep Dive on Fulcio, It’s Ten O’Clock, Do You Know Where Your Private Keys Are?, …

This post is to help reduce confusion between the Notary V2/Notation and Cosign projects. This is a common question from end users that I tried to avoid answering directly for a while. Now that Notation has released an alpha, I think it’s time to publish an evaluation of the differences. …

October is almost done, so it’s time for another update! The supply chains are clearly haunted, so this one has a spooky theme. The community is still growing quickly, and the fancy new “Contributor Strength” dashboard reflects it!

This post accompanies a talk I just gave at the 2021 Open Source Summit, called Zero Trust Supply Chain Security. The slides are available here. Background Let’s say you’re walking down the sidewalk outside of your office, and you find a USB thumb drive sitting on the ground. I hope everyone…

Zero-trust security starts with trusting actual entities based on strong identity, not whoever happens to control a secret, or whoever gets behind a firewall. No secrets sounds great in theory! It even sounds a bit magical. How can we authenticate without any secrets? …

TOFU is an OK substitute for when you have nothing better, but it’s never the best choice. — Before you get upset, I’m not talking about the coagulated soy-bean excretion often served fried, I’m talking about the Trust-On-First-Use authentication scheme. Just like the food, there are times to reach for TOFU, but too much of it might not be the best for your health. …

Envelopes and Wrappers and Formats, Oh My! — There are a bunch of confusing formats and specifications that describe how to, well, format signatures and related information. This topic is confusing because terminology is hard and each specification tackles things at slightly different levels of abstraction, from slightly different angles. …