SigstoreCon 24 - Software Supply Chain Event, November 12, 2024. Utah, USA
sign. verify. protect.
Making sure your software is what it claims to be.
In collaboration with
The problem with software supply chain security
Modern software projects are built upon software libraries and tools from a variety of sources. This leaves your project open to breaches, exploits, and supply chain attacks. The risks can be difficult to spot, and safely software dependencies can require constant identity checks and careful safety protocols for keys and secrets.
Our vision
Sigstore's goal is to improve supply chain technology for anyone using software dependencies. Sigstore is made for open source maintainers, by open source maintainers, and is applicable to proprietary software as well.
Sigstore is a direct response to today’s supply chain challenges. We are working towards a future where there is a broadly accepted (and achievable) project integrity standard.
What makes Sigstore different?
Sigstore streamlines how you digitally sign and verify components. Our automated tooling makes it easy to trace your software back to the source. Sigstore is the easiest way to understand your software's chain of custody, and it is a great solution for all open source software producers and users.
Key management and short-lived certificates
Worried about leaked or lost keys? Sigstore's Cosign can use ephemeral key material and short-lived certificates to sign and verify artifacts.
Transparent ledger technology
Sigstore's Rekor provides an immutable, tamper-resistant, transparent ledger of signatures and software metadata. Our public Rekor instance makes it easy to find and verify signatures, and detect changes to the source code, the build platform, or the artifact repository. You can also host your own Rekor instance.
Driven by our community
Sigstore is maintained by passionate believers in an open, transparent, and accountable future for open source software. Everything we do comes from a love of open source software and a desire to help others use it securely.
Press
"The software ecosystem is in dire need of something like Sigstore to report the state of the supply chain."
Lawrence Abrams
Bleeping Computer
Blog post
“We need to make it possible to verify provenance along the entire chain and the goal of the Sigstore effort is to enable just that.”
Ryan Hurst
Google Production Security Team
Integration: KPACK
An integration to sign images . . . and push the signatures to a registry so that users can ensure the chain of custody of a generated artifact.
Case Study: NPM
“How to verifiably link npm packages to their source repository and build instructions.”
Brian DeHamer, Philip Harrison
GitHub Package Security Team
Blog Post
"An open source community coming together to collaborate and develop a solution to ease the adoption of software signing..."
Luke Hinds
Co-creator, Sigstore & Senior Principal Software Engineer, Red Hat
Case Study: Stacklok
We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore...
Press
“Sigstore will make code signing free and easy for software developers, providing an important first line of defense.”
Lily Hay Newman
Wired
News & Events
Sigstore - Simplifying Code Signing for Open Source Ecosystems
Wind River Further Expands VxWorks RTOS Containers Leadership with Cosign Support
JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source security drive
Sigstore support in npm released in public beta
