By Sigstore TSC & Community Chair
Supply chain security took a giant leap forward this month as Sigstore officially became a graduated project within the Open Source Security Foundation (OpenSSF). This milestone is a testament to Sigstore’s maturity, adoption, and its undeniable impact on making the creation and distribution of software more trustworthy.
What is Sigstore?
For those unfamiliar, Sigstore is a suite of tools designed to streamline secure software signing & verification of artifacts such as binaries, containers and attestations. In a world increasingly concerned about supply chain attacks, Sigstore offers a solution that brings transparency and integrity to the software ecosystem. Key components include:
- Cosign: A user-friendly tool to sign and verify software artifacts and container images. In addition to Cosign, each ecosystem has its own platform-specific tooling, such as sigstore-python or sigstore-js.
- Fulcio: A certificate authority to issue short-lived identity-based code-signing certificates.
- Rekor: A transparency log providing a tamper-resistant record of software signatures and metadata.
Free-to-use instances of Fulcio and Rekor are operated by the community for the public good.
Why Graduation Matters
Within the OpenSSF, projects achieve “graduated” status when they demonstrate a high level of stability, a thriving community, well-defined governance, and adherence to security best practices. Sigstore’s graduation underscores several important things:
- Trust and Reliability: Sigstore has undergone significant vetting, gaining the trust of major stakeholders and making it an even more compelling choice for ecosystems and organizations seeking to elevate their software security.
- Widespread Adoption: Its graduation speaks to the growing recognition of code signing and transparency as key elements in modern software supply chain security.
- A Thriving Ecosystem: Sigstore boasts a vibrant community of contributors and users driving innovation and ensuring the project’s continued success.
Get Involved
If you’re passionate about open-source software security, now’s the perfect time to get involved with Sigstore! Here’s how:
- Use Sigstore: Start signing and verifying your software artifacts. (https://www.sigstore.dev/, https://docs.sigstore.dev/)
- Contribute: Dive into the projects in the organization (https://github.com/sigstore/), share your expertise on issues, or help with documentation.
- Help drive adoption: If you’re a maintainer of a package or artifact repository looking to integrate signing or would like help to start signing artifacts, reach out on Sigstore’s Slack channel!
Celebrating Graduation!
Congratulations to the Sigstore team, contributors, and the OpenSSF community for this momentous milestone!