Software supply chain quickly became a hot topic in the last few years, especially as the number of high-profile attacks increased and the White House got involved. Sigstore, an open source project supported by the likes of Google, GitHub, Chainguard and RedHat, has become somewhat of a standard for signing, verifying and protecting software projects — and the dependencies they use — to make sure that the software you install and run on your machines hasn’t been manipulated. These days, after all, there aren’t many software projects that don’t rely on at least one — and usually multiple — open-source libraries, which themselves probably rely on other libraries, too. And with many of these projects maintained by volunteers, they make for an easy target for hackers.
“Sigstore has rapidly become the standard for signing, verifying, and protecting software, so it’s great to announce the general availability to remove one last barrier for more widespread adoption during a time when software supply chain security is more important than ever,” said Priya Wadhwa, a member of the Sigstore Technical Steering Committee and software engineer at Chainguard. “It is our hope that this next phase of Sigstore will empower the rest of the open source software ecosystem to gain increased confidence in adopting this technology and benefit from its reliable and stable experience.”
The Sigstore community promises a 99.5% uptime and pager support — more than most free projects can offer. Sigstore, it’s worth noting, is a nonprofit project that is funded under the Open Source Security Foundation. Sigstore itself consists of a number of projects for signing containers, saving that information in an immutable ledger and, of course, creating those certificates in the first place.