Today at the first-ever SigstoreCon, Sigstore announced its general availability. Sigstore now delivers a 99.5% uptime SLO and round-the-clock pager support, which many of our Chainguardians will actively participate in. In the face of increasing supply chain security concerns, this next phase for Sigstore will provide open source communities and enterprises of all sizes with access to production-grade stable services for artifact signing and verification.
Sigstore is one of the fastest adopted open source technologies because of its developer-friendly method for signing, verifying and protecting software. Recently, GitHub announced that all npm packages - of which there are more than one million - intend to start using Sigstore. This is just the most recent momentum in a growing number of announcements from Python, Rust, Kubernetes and more about adopting Sigstore’s free wax seal of software authenticity. These milestones are a testament to the commitment and hard work happening across the Sigstore community and a very positive signal from open source software projects and maintainers about their commitment to software security.
What’s new in Sigstore GA?
Sigstore's Fulcio certificate authority and Rekor transparency log public benefit services are now generally available with today’s announcement. Sigstore services allow for easy signing and verification of open source software, and are already integrated into tools like Sigstore’s cosign, Tekton Chains, and services like GitHub Actions. Now that Fulcio and Rekor are production grade, language package managers like RubyGems and npm can confidently integrate with Sigstore for their signing needs and increase adoption. Visit the GitHub repositories here and here to learn more about how to use the Rekor and Fulcio APIs.
We hope this milestone for Sigstore services will empower not only more open source projects but enterprises of all sizes to adopt Sigstore to further secure their software supply chains.
Get started with Sigstore today!
Last month, we launched Chainguard Academy, the first open source and interactive educational platform designed for software supply chain security. Chainguard Academy offers an interactive terminal sandbox to get hands-on and experiment with tooling like Sigstore right from the browser. We’ve created tutorials for core components of Sigstore:
And don’t forget to sign up to take the Sigstore edX course, designed in partnership with The Linux Foundation.
Sigstore is one of those foundational technologies that can change the culture of software development, which is what we’re doing at Chainguard. We’re making software secure by default with tools like Sigstore, SLSA and more so that software developers can build-in, not bolt-on security measures, and companies can improve overall software security hygiene.
Congrats Team Sigstore!