Sigstore Project Update — May 2021

Welcome to our project update for May. We have a lot to update you on. As you can tell by now, things move quickly in sigstore, so let’s get into this!

The community is continuing to expand. We are now close to 400 members in our slack workspace. We now have 40 contributors and are growing each day.

cosign

Cosign is blazing ahead with lots of new features. It now has support for Hashicorp vault KMS. Offline verification of Rekor signatures (great for air gaped instances). Windows binaries can now also be signed! All these features were shipped in cosign release v0.4.0

fulcio

Fulcio continues on its path to maturity. We recently refactored out the test client code and added the ability for fuclio to now sign RSA certificates (alongside ecdsa).

rekor

Rekor is close to release 0.2.0 which will include RFC 3161 timestamp responses. We are seeing continued interest in rekor, as it is so well suited to SBOM validation and storage, especially with its ability to allow customized schemas.

New Projects

We recently bootstrapped a helm sigstore plugin, to allow signing and verification of helm charts.

The rubygems plugin is reaching completion, it is now possible to sign gems using keyless OpenID backed functionality , at present the verification part work is underway.

The maven plugin is now complete and we are in discussion with the community on how they can best leverage sigstore for JAR signing.

Sget it really cool prototype put together by Dan Lorenc for signing and verification of curl | bash style operations by leveraging OCI registries. We plan to launch this as its own project, as the internet is awash with folks piping scripts off the internet or downloading artefacts with no trust guarantees.

signing party

The last preparations are occurring for the sigstore signing party. This will bootstrap the trust root of sigstore utilising TUF (The Update Framework). TUF is based on a key hierarchy.

Five community members (from Red Hat, Google and academia (Purdue University/ NYU)) will generate five hardware protected keys as TUF root ROLES and target ROLES. These five keys will be utilized to sign the root keys used to establish sigstore’s root of trust for rekor, fulcio CA and the CTFE log. It will also sign all timestamps generated within sigstore’s ecosystem.

Using TUF also provides us with survivable key compromise.

As we are a community who believe in openness and transparency, the signing will happen in the open. The signing event will be broadcast live by CNCF cloudnative.tv on the 18th of June. The signatures and public keys will all be recorded into a git repository (sigstore/root-signing), we then encourage everyone to fork this repository for accountability!

Release Manager

Sigstore now has a release manager! Carlos Tadeu Panato Jr will be bringing his experience as a kubernetes release manager to sigstore and will help to coordinate milestones and releases within sigstore’s projects.

Getting Involved!

As always, we truly welcome contributors and users to our community. We take pride in being friendly to new folks and fostering a welcome and safe environment. Being a large open source project, there is always lots to do and it’s not always complex coding tasks, helping with documentation, general testing or just telling others about sigstore are all valued contributions. Come and join our slack workspace and say hello!