Today we are launching the Chainguard Images Sigstore bundle, a collection of 17 images, compatible with the official helm charts, that provides enterprises the most secure way to run Sigstore in their own environments with images that contain low CVEs, a minimal footprint, Software Bills of Material (SBOMs) and more. The Chainguard Images Sigstore bundle contains everything needed for an organization to run its own Sigstore stack, including Fulcio, Rekor, Trillian, CT Log, Redis, Cosign, Timestamp Authority and the utilities required to configure them. Using our Chainguard Images for Sigstore makes software signing accessible to organizations that are looking for a private, on-prem offering to fill a critical gap in their software supply chain security posture. The bundle is already being leveraged by Hewlett Packard Enterprise (HPE).
Risk management is all about making informed decisions and having robust details around the authenticity, provenance, and integrity of software artifacts and those involved in their creation and distribution is crucial. Our Chainguard Images Sigstore bundle aims to give organizations all of the benefits of a supported Sigstore stack optimized for enterprise deployments, but with the control and ownership they need to run it safely and securely to meet their compliance requirements. We also offer availability of FIPS-compliant versions of the Chainguard Images for Sigstore.