This milestone paves the way for every open source project to improve security by default
DETROIT, MI, October 25, 2022 – Today at SigstoreCon, the Sigstore community announced the general availability of its free software signing service giving open source communities access to production-grade stable services for artifact signing and verification. Sigstore provides a set of tools designed to improve supply chain security by making it easy to sign, verify and check the software developers are building and consuming.
In the face of increasing software supply chain security concerns, Sigstore is quickly becoming one of the fastest adopted open source technologies in history. To date over 4 million signatures have been logged using Sigstore and two of the world’s largest open source communities, Kubernetes and Python, have adopted Sigstore’s wax seal of authenticity by signing their production releases with Sigstore. Most recently, npm announced they are actively working to integrate Sigstore, so all npm packages can be reliably linked to their source code and build instructions.
“Signatures on software components is an essential part of securing the global software supply chain. Before Sigstore, only the last mile to the consumer was well secured. Now we can be assured of the integrity of the upstream components we depend upon with an easy-to-use toolkit and service,” said Brian Behlendorf, General Manager of the OpenSSF. “Kudos to the Sigstore developers, advocates, and other contributors to getting not just to 1.0, but already to widespread implementation and impact.”
“Sigstore has rapidly become the standard for signing, verifying, and protecting software, so it’s great to announce the general availability to remove one last barrier for more widespread adoption during a time when software supply chain security is more important than ever,” said Priya Wadhwa, member of the Sigstore Technical Steering Committee and software engineer at Chainguard. “It is our hope that this next phase of Sigstore will empower the rest of the open source software ecosystem to gain increased confidence in adopting this technology and benefit from its reliable and stable experience.
“The adoption rate of Sigstore has far exceeded our expectations and illustrates well the need for a GA release of Sigstore’s APIs. GA will signal stability and reliability to the communities we seek to serve now and into the future,” said Luke Hinds, founder of the Sigstore project and security engineering lead at Red Hat, Office of the CTO.
“I am very excited to see Sigstore reach GA. It is a fundamental milestone for a project that is quickly becoming a favorite to protect the software supply chain,” said Santiago Torres-Arias, member of the Sigstore Technical Steering Committee and Professor at Purdue University. “This not only talks about the project’s maturity and the ways that it commits to serve its already large user-base, but a signal for future adopters to know that they can rely on Sigstore to protect their communities and ecosystems.”
“This general availability milestone, and the related v1.0 releases, unlock wider use of transparent digital signatures across the software supply chain,” said Bob Callaway, co-founder of Sigstore and Tech Lead & Manager of Google’s Open Source Security Team. “I’m proud of the work of my colleagues and the wider community, because it ensures we have a vendor-neutral operations team and are set up to onboard additional projects and open source software ecosystems.”
“The GA of Sigstore is a huge milestone for all software ecosystems,” said Trevor Rosen, member of the Sigstore Technical Steering Committee and Staff Engineering Manager at GitHub. “For far too long, users of open source projects have had to blindly place their faith in code and artifacts whose origins can be difficult or impossible to fully vet. By offering a comprehensive system for signing and verifying open source software, Sigstore is creating a bedrock foundation that everyone from hobbyists to enterprises can build on, offering trust backed by strong guarantees.”
The Sigstore community will operate the service with a 99.5% uptime SLO and round-the-clock pager support. Project sponsors Google, Red Hat, GitHub, and Chainguard, among others, have helped make this possible by providing the resources to support the service level objectives. Over 70 organizations, including Shopify, Autodesk, Trail of Bits and Rancher Government Solutions, are actively involved in maintaining and scaling Sigstore.
More information about today’s news, including technical updates, can be found on the Sigstore blog. Visit Sigstore.dev for up to date documentation, best practices and case studies for using Sigstore
Sigstore Champion Quotes:
“As leaders in the Ruby community, Shopify is proud to champion Sigstore’s efforts to ensure privacy, trust, and security for its community. We look forward to our continued partnership with Sigstore to pioneer technology in the Ruby ecosystem.” – Jacques Chester, Senior Staff Developer at Shopify
“Sigstore is the cornerstone to deliver great UX for practical remote attestation in confidential computing. It enables our confidential Kubernetes to be end to end verifiable.” – Felix Schuster, CEO at Edgeless Systems
“As security experts on some of the world’s most targeted systems, Trail of Bits is excited to be a partner in the progress that Sigstore has made toward software signing and verification, “ said William Woodruff, Senior Security Engineer at Trail of Bits. “The Sigstore community is a great example of how open source communities should operate. We look forward to further collaboration, particularly in the domain of package management!”
“Sigstore will power a new security capability in the npm ecosystem – a reliable way to connect a package back to its source code and build instructions,” said Zach Steindler, Staff Security Engineer at GitHub and Program Manager for the npm integration. “The GA means we can rely on it in production, which in turn gives our users more confidence that npm packages contain what they claim. This couldn’t be more timely, as everyone is looking to improve their software supply chain security.”
“Using Sigstore to sign the Python release artifacts provides a unique benefit to Python users by giving them an easy and secure means to verify the integrity of Python itself. It also benefits Python maintainers by providing a signing technology that is more easy to use, more resistant to key loss, and includes additional protections to detect potential compromise.” – Dustin Ingram, Director, Python Software Foundation
The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: openssf.org.
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 3,000 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, PyTorch, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Jennifer Bly, OpenSSF