Sigstore Project Update — May 2021

Welcome to our project update for May. We have a lot to update you on. As you can tell by now, things move quickly in sigstore, so let’s get into this!

The community is continuing to expand. We are now close to 400 members in our slack workspace. We now have 40 contributors and are growing each day.

cosign

fulcio

rekor

New Projects

The rubygems plugin is reaching completion, it is now possible to sign gems using keyless OpenID backed functionality , at present the verification part work is underway.

The maven plugin is now complete and we are in discussion with the community on how they can best leverage sigstore for JAR signing.

Sget it really cool prototype put together by Dan Lorenc for signing and verification of curl | bash style operations by leveraging OCI registries. We plan to launch this as its own project, as the internet is awash with folks piping scripts off the internet or downloading artefacts with no trust guarantees.

signing party

Five community members (from Red Hat, Google and academia (Purdue University/ NYU)) will generate five hardware protected keys as TUF root ROLES and target ROLES. These five keys will be utilized to sign the root keys used to establish sigstore’s root of trust for rekor, fulcio CA and the CTFE log. It will also sign all timestamps generated within sigstore’s ecosystem.

Using TUF also provides us with survivable key compromise.

As we are a community who believe in openness and transparency, the signing will happen in the open. The signing event will be broadcast live by CNCF cloudnative.tv on the 18th of June. The signatures and public keys will all be recorded into a git repository (sigstore/root-signing), we then encourage everyone to fork this repository for accountability!

Release Manager

Getting Involved!

Security Engineer @ Red Hat CTO