In collaboration with the Linux Foundation and the OpenSSF, we’re thrilled to announce a new Sigstore course to educate the industry on how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. Securing Your Software Supply Chain with Sigstore is a free course written by two of our Guardians, Lisa Tagliaferri and John Speed Meyers.
Sigstore is the new standard for signing, verifying and protecting software. It was started to improve supply chain technology for anyone using open source projects. Sigstore is for open source maintainers, by open source maintainers. With contributions from over 50 organizations, Sigstore is so powerful we recently called on the software industry to standardize on Sigstore and on the U.S. government to signal its support.
Why Did We Create this Course?
Chainguard partnered with Linux Foundation to author this new course because we believe in the power of open source and in empowering everyone to use it to secure their supply chains. It’s important to have good materials to make it equitable and accessible for everyone to have secure software supply chains.
Our Guardians are security experts with experience from diverse backgrounds that combine their knowledge to make open source software secure by default. Our co-founders and many of our Guardians help build Sigstore and regularly contribute to the project. That’s why we're in a unique position to help others understand how to use and adopt secure software from the start.
What Will You Learn?
The course is for anyone new to Sigstore and its sub-projects. It starts by teaching you the basics such as: “What is Software Supply Chain Security?” and defines key terms and concepts like SLSA and SBOM. By the end, you’ll have learnt how to set up your own Sigstore Rekor server with hands-on labs and code examples.
Chapter 1. Introducing Sigstore
Chapter 2. Cosign: Container Signing, Verification, and Storage in an OCI Registry
Chapter 3. Fulcio: A New Kind of Root Certificate Authority For Code Signing
Chapter 4. Rekor: Software Supply Chain Transparency Log
Chapter 5. Sigstore: Using the Tools and Getting Involved with the Community
Don’t dilly-dally, it’s free! Sign up to get the knowledge to better secure your supply chain.