As part of today’s White House Open Source Security Summit, we are calling on the software industry to standardize on Sigstore and on the U.S. government to signal its support.…
Does the psychic signature vulnerability also affect Sigstore, a code artifact signing and verification project? The short answer is NO!…
Here at Chainguard, we believe that everyone benefits from better security in open-source software. That’s why we’re so excited that the OpenSSF has just created a new “Securing Software Repositories” working group, which aims to bring maintainers of software repositories and package managers together to share and develop…
Kelsey Hightower hosted a Twitter Space on Sigstore: a new standard for signing and verifying software on March 22, 2022. The software industry has been flying blind. It's time we start signing and verifying the stuff we build and ship to the world. Join me and a few…
The recently published NIST SSDF Recommendations can seem intimidating; the good news is that the open source project Sigstore can help you and your team meet many of the recommendations.…
If you've been following the Chainguard blog, you might ask yourself: how do I run the open-source sigstore stack on my machine? While sigstore is often deployed using Kubernetes, it is flexible enough to run nearly anywhere: from a Raspberry Pi to an IBM mainframe. This article will demonstrate how…
In this post, we’ll walk you through setting up Tekton Chains on Amazon EKS to improve the security of your Tekton pipelines. Tekton Chains simplifies signing software via “keyless signing”, which means that users don’t have to manage private keys or be responsible for distributing public keys. Instead,…
In a previous blog article, we illustrated how simple it was to use Sigstore on Amazon EKS to perform keyless signing. Keyless signing is now also available on Azure AKS thanks to the recent addition of OpenID Issuer support. In this post, we will sign images created on an AKS…