sigstore.netlify.app Open in urlscan Pro
2a05:d014:58f:6201::65  Public Scan

Submitted URL: http://sigstore.netlify.app/
Effective URL: https://sigstore.netlify.app/
Submission: On December 16 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * Overview
 * Community
 * How sigstore works
 * Trust and security
    * Blog
    * Docs
    * Status
    * 


SIGN. VERIFY. PROTECT.


MAKING SURE YOUR SOFTWARE IS WHAT IT CLAIMS TO BE.



In collaboration with




2800+

COMMITS


1200+

MEMBERS


20+

ORGS

Now generally available!

Find out more


THE PROBLEM WITH OPEN SOURCE SECURITY

Not knowing where all your software comes from means hard-to-spot risks to the
integrity of your services. Without constant identity checks and safety
protocols for keys and secrets, open source dependencies can open the door to
breaches, exploits and supply chain attacks.



Not knowing where all your software comes from means hard-to-spot risks to the
integrity of your services. Without constant identity checks and safety
protocols for keys and secrets, open source dependencies can open the door to
breaches, exploits and supply chain attacks.


OUR VISION


SIGSTORE WAS STARTED TO IMPROVE SUPPLY CHAIN TECHNOLOGY FOR ANYONE USING OPEN
SOURCE PROJECTS. IT'S FOR OPEN SOURCE MAINTAINERS, BY OPEN SOURCE MAINTAINERS.


AND IT'S A DIRECT RESPONSE TO TODAY’S CHALLENGES, A WORK IN PROGRESS FOR A
FUTURE WHERE THE INTEGRITY OF WHAT WE BUILD AND USE IS UP TO STANDARD.

WHAT MAKES SIGSTORE DIFFERENT?

We’ve automated how you digitally sign and check components, for a safer chain
of custody tracing software back to the source. We want to remove the effort,
time and risk of error this usually comes with. And for anyone whose software
depends on open source, future integrations can make it easier to check for
authenticity, wherever it’s come from.

AUTOMATIC KEY MANAGEMENT

We use Cosign to generate the key pairs needed to sign and verify artifacts,
automating as much as possible so there’s no risk of losing or leaking them.

TRANSPARENT LEDGER TECHNOLOGY

A transparency log means anyone can find and verify signatures, and check
whether someone’s changed the source code, the build platform or the artifact
repository.

DRIVEN BY OUR COMMUNITY

Everyone involved in sigstore believes in an open, transparent and accountable
future for open source software. Everything we do comes from that shared vision.

--------------------------------------------------------------------------------


HOW SIGSTORE WORKS

sigstore is a set of tools developers, software maintainers, package managers
and security experts can benefit from. Bringing together free-to-use open source
technologies like Fulcio, Cosign and Rekor, it handles digital signing,
verification and checks for provenance needed to make it safer to distribute and
use open source software.

A standardized approach

This means that open source software uploaded for distribution has a stricter,
more standardized way of checking who’s been involved, that it hasn’t been
tampered with. There’s no risk of key compromise, so third parties can’t hijack
a release and slip in something malicious.

Building for future integrations

With the help of a working partnership that includes GitHub, Google, the Linux
Foundation, Red Hat and Purdue University, we’re in constant collaboration to
find new ways to improve the sigstore technology, to make it easy to adopt,
integrate and become a long-lasting standard.



HOW CAN YOU USE IT?

SIGN CODE

Easy authentication and smart cryptography work in the background. Just push
your code.

VERIFY SIGNATURES

A transparency log stores data like who created something and how, so you know
it hasn’t been changed.

MONITOR ACTIVITY

Logged data is readily auditable, for future monitors and integrations to build
into your security workflow.

--------------------------------------------------------------------------------

Press

Press

"The software ecosystem is in dire need of something like [sigstore] to report
the state of the supply chain."

Lawrence Abrams
Bleeping Computer

Learn more

Blog post

Blog post

“We need to make it possible to verify provenance along the entire chain and the
goal of the Sigstore effort is to enable just that.”

Ryan Hurst
Google Production Security Team

Learn more

Integration: KPACK

Integration: KPACK

An integration to sign images . . . and push the signatures to a registry so
that users can ensure the chain of custody of a generated artifact.

Learn more

Case Study: NPM

Case Study: NPM

“How to verifiably link npm packages to their source repository and build
instructions.”

Brian DeHamer, Philip Harrison
GitHub Package Security Team

Learn more

Blog Post

Blog Post

"An open source community coming together to collaborate and develop a solution
to ease the adoption of software signing..."

Luke Hinds
Co-creator, sigstore & Senior Principal Software Engineer, Red Hat

Learn more

Case Study: Stacklok

Case Study: Stacklok

We're excited to announce the launch of Minder and Trusty, two free-to-use tools
that build on the power of the open source project Sigstore...

Learn more

Press

Press

“Sigstore will make code signing free and easy for software developers,
providing an important first line of defense.”

Lily Hay Newman
Wired

Learn more

Press

Press

"The software ecosystem is in dire need of something like [sigstore] to report
the state of the supply chain."

Lawrence Abrams
Bleeping Computer

Learn more

Blog post

Blog post

“We need to make it possible to verify provenance along the entire chain and the
goal of the Sigstore effort is to enable just that.”

Ryan Hurst
Google Production Security Team

Learn more

Integration: KPACK

Integration: KPACK

An integration to sign images . . . and push the signatures to a registry so
that users can ensure the chain of custody of a generated artifact.

Learn more

Case Study: NPM

Case Study: NPM

“How to verifiably link npm packages to their source repository and build
instructions.”

Brian DeHamer, Philip Harrison
GitHub Package Security Team

Learn more

Blog Post

Blog Post

"An open source community coming together to collaborate and develop a solution
to ease the adoption of software signing..."

Luke Hinds
Co-creator, sigstore & Senior Principal Software Engineer, Red Hat

Learn more

Case Study: Stacklok

Case Study: Stacklok

We're excited to announce the launch of Minder and Trusty, two free-to-use tools
that build on the power of the open source project Sigstore...

Learn more

Press

Press

“Sigstore will make code signing free and easy for software developers,
providing an important first line of defense.”

Lily Hay Newman
Wired

Learn more

Press

Press

"The software ecosystem is in dire need of something like [sigstore] to report
the state of the supply chain."

Lawrence Abrams
Bleeping Computer

Learn more

Blog post

Blog post

“We need to make it possible to verify provenance along the entire chain and the
goal of the Sigstore effort is to enable just that.”

Ryan Hurst
Google Production Security Team

Learn more

Integration: KPACK

Integration: KPACK

An integration to sign images . . . and push the signatures to a registry so
that users can ensure the chain of custody of a generated artifact.

Learn more

Case Study: NPM

Case Study: NPM

“How to verifiably link npm packages to their source repository and build
instructions.”

Brian DeHamer, Philip Harrison
GitHub Package Security Team

Learn more

Blog Post

Blog Post

"An open source community coming together to collaborate and develop a solution
to ease the adoption of software signing..."

Luke Hinds
Co-creator, sigstore & Senior Principal Software Engineer, Red Hat

Learn more

Case Study: Stacklok

Case Study: Stacklok

We're excited to announce the launch of Minder and Trusty, two free-to-use tools
that build on the power of the open source project Sigstore...

Learn more

Press

Press

“Sigstore will make code signing free and easy for software developers,
providing an important first line of defense.”

Lily Hay Newman
Wired

Learn more


--------------------------------------------------------------------------------


NEWS & EVENTS

View more news

SigstoreCon 24 - Software Supply Chain Event, November 12, 2024. Utah, USA

news

Sep 14, 2024

• See more

Sigstore - Simplifying Code Signing for Open Source Ecosystems

news

Nov 21, 2023

• See more

Wind River Further Expands VxWorks RTOS Containers Leadership with Cosign
Support

news

Nov 1, 2023

• See more

JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source
security drive

news

Oct 5, 2023

• See more

Sigstore support in npm released in public beta

release

Apr 19, 2023

• See more
View more news


HELP BUILD A SAFER FUTURE WITH US.


View the project

 * 
   

 * 
 * Blog
 * GitHub
 * Twitter
 * Slack
   

Copyright © 2023 The Linux Foundation®. All rights reserved. The Linux
Foundation has registered trademarks and uses trademarks. For a list of
trademarks of The Linux Foundation, please see our Trademark Usage page. Linux
is a registered trademark of Linus Torvalds. Privacy Policy, Terms of Use,
Hosted Project Tools Terms of Use and Immutable Record notice.

 * Overview
 * Community
 * How sigstore works
 * Trust and security
 * Docs
 * Status

 * Blog
 * GitHub
 * Twitter
 * Slack