Security News > 2021 > March > Free sigstore signing service confirms software origin and authenticity

The Linux Foundation, the nonprofit organization enabling innovation through open source, today announced the sigstore project, which improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

Sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries.

The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community.

"Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. "By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development."

"I am very excited about the prospects of a system like sigstore. The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance, to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation," said Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue / in-toto project founder.

"We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open source software and security."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/aipDJr_DD4Q/