Chainguard announces new Sigstore Images to bring critical software supply chain tooling to enterprises

Kaylin Trychon, Vice President of Marketing
November 14, 2023

On our journey to evangelize Sigstore, we’ve heard feedback that users sometimes have different signing requirements for private and public software artifacts. Enterprises with private artifacts may have concerns about leaking sensitive private information and may not be able to store any information in the public instance log. For these users, public Sigstore infrastructure is not an option, and they need an alternative solution.

Today we are launching the Chainguard Images Sigstore bundle, a collection of 17 images, compatible with the official helm charts, that provides enterprises the most secure way to run Sigstore in their own environments with images that contain low CVEs, a minimal footprint, Software Bills of Material (SBOMs) and more. The Chainguard Images Sigstore bundle contains everything needed for an organization to run its own Sigstore stack, including Fulcio, Rekor, Trillian, CT Log, Redis, Cosign, Timestamp Authority and the utilities required to configure them. Using our Chainguard Images for Sigstore makes software signing accessible to organizations that are looking for a private, on-prem offering to fill a critical gap in their software supply chain security posture. The bundle is already being leveraged by Hewlett Packard Enterprise (HPE).

Bar graph comparing quantity of Sigstore bundle total vulnerabilities in Upstream Images (10) versus Chainguard Images (0).

Our CISO & Developer Trends in Software Supply Chain Security Report found that 56% of developers say their organizations have adopted digital signature software tooling like Sigstore. In just two short years, Sigstore has grown from a small side project to a critical piece of infrastructure securing open source software for everyone. It is now integrated with five of the major package manager ecosystems, including Python, NPM, Maven Central, OCI and Homebrew. This is a testament to the hard work of the Sigstore community as well as the glaring gap in supply chain security that was waiting to be filled by a developer-friendly, flexible platform.

Risk management is all about making informed decisions and having robust details around the authenticity, provenance, and integrity of software artifacts and those involved in their creation and distribution is crucial. Our Chainguard Images Sigstore bundle aims to give organizations all of the benefits of a supported Sigstore stack optimized for enterprise deployments, but with the control and ownership they need to run it safely and securely to meet their compliance requirements. We also offer availability of FIPS-compliant versions of the Chainguard Images for Sigstore.

At Chainguard, we believe that one of the most critical components of a secure supply chain is signing and verifying software – and the Cybersecurity and Infrastructure Security Agency (CISA) agrees. That’s why they recently introduced requirements for a proposed self-attestation form. The requirements outlined vendors who sell software to the federal government should be responsible for signing and verifying the signatures of all components they use, including commits, artifacts, and more.

We are here to help you get ahead of these upcoming compliance requirements – you can try Chainguard’s Sigstore Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features, including FIPS versions and additional capabilities, please reach out to our team for more information.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.