sigstore.netlify.app
Open in
urlscan Pro
2a05:d014:58f:6201::65
Public Scan
Submitted URL: http://sigstore.netlify.app/
Effective URL: https://sigstore.netlify.app/
Submission: On December 16 via api from US — Scanned from DE
Effective URL: https://sigstore.netlify.app/
Submission: On December 16 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
* Overview * Community * How sigstore works * Trust and security * Blog * Docs * Status * SIGN. VERIFY. PROTECT. MAKING SURE YOUR SOFTWARE IS WHAT IT CLAIMS TO BE. In collaboration with 2800+ COMMITS 1200+ MEMBERS 20+ ORGS Now generally available! Find out more THE PROBLEM WITH OPEN SOURCE SECURITY Not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open source dependencies can open the door to breaches, exploits and supply chain attacks. Not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open source dependencies can open the door to breaches, exploits and supply chain attacks. OUR VISION SIGSTORE WAS STARTED TO IMPROVE SUPPLY CHAIN TECHNOLOGY FOR ANYONE USING OPEN SOURCE PROJECTS. IT'S FOR OPEN SOURCE MAINTAINERS, BY OPEN SOURCE MAINTAINERS. AND IT'S A DIRECT RESPONSE TO TODAY’S CHALLENGES, A WORK IN PROGRESS FOR A FUTURE WHERE THE INTEGRITY OF WHAT WE BUILD AND USE IS UP TO STANDARD. WHAT MAKES SIGSTORE DIFFERENT? We’ve automated how you digitally sign and check components, for a safer chain of custody tracing software back to the source. We want to remove the effort, time and risk of error this usually comes with. And for anyone whose software depends on open source, future integrations can make it easier to check for authenticity, wherever it’s come from. AUTOMATIC KEY MANAGEMENT We use Cosign to generate the key pairs needed to sign and verify artifacts, automating as much as possible so there’s no risk of losing or leaking them. TRANSPARENT LEDGER TECHNOLOGY A transparency log means anyone can find and verify signatures, and check whether someone’s changed the source code, the build platform or the artifact repository. DRIVEN BY OUR COMMUNITY Everyone involved in sigstore believes in an open, transparent and accountable future for open source software. Everything we do comes from that shared vision. -------------------------------------------------------------------------------- HOW SIGSTORE WORKS sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software. A standardized approach This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious. Building for future integrations With the help of a working partnership that includes GitHub, Google, the Linux Foundation, Red Hat and Purdue University, we’re in constant collaboration to find new ways to improve the sigstore technology, to make it easy to adopt, integrate and become a long-lasting standard. HOW CAN YOU USE IT? SIGN CODE Easy authentication and smart cryptography work in the background. Just push your code. VERIFY SIGNATURES A transparency log stores data like who created something and how, so you know it hasn’t been changed. MONITOR ACTIVITY Logged data is readily auditable, for future monitors and integrations to build into your security workflow. -------------------------------------------------------------------------------- Press Press "The software ecosystem is in dire need of something like [sigstore] to report the state of the supply chain." Lawrence Abrams Bleeping Computer Learn more Blog post Blog post “We need to make it possible to verify provenance along the entire chain and the goal of the Sigstore effort is to enable just that.” Ryan Hurst Google Production Security Team Learn more Integration: KPACK Integration: KPACK An integration to sign images . . . and push the signatures to a registry so that users can ensure the chain of custody of a generated artifact. Learn more Case Study: NPM Case Study: NPM “How to verifiably link npm packages to their source repository and build instructions.” Brian DeHamer, Philip Harrison GitHub Package Security Team Learn more Blog Post Blog Post "An open source community coming together to collaborate and develop a solution to ease the adoption of software signing..." Luke Hinds Co-creator, sigstore & Senior Principal Software Engineer, Red Hat Learn more Case Study: Stacklok Case Study: Stacklok We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore... Learn more Press Press “Sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman Wired Learn more Press Press "The software ecosystem is in dire need of something like [sigstore] to report the state of the supply chain." Lawrence Abrams Bleeping Computer Learn more Blog post Blog post “We need to make it possible to verify provenance along the entire chain and the goal of the Sigstore effort is to enable just that.” Ryan Hurst Google Production Security Team Learn more Integration: KPACK Integration: KPACK An integration to sign images . . . and push the signatures to a registry so that users can ensure the chain of custody of a generated artifact. Learn more Case Study: NPM Case Study: NPM “How to verifiably link npm packages to their source repository and build instructions.” Brian DeHamer, Philip Harrison GitHub Package Security Team Learn more Blog Post Blog Post "An open source community coming together to collaborate and develop a solution to ease the adoption of software signing..." Luke Hinds Co-creator, sigstore & Senior Principal Software Engineer, Red Hat Learn more Case Study: Stacklok Case Study: Stacklok We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore... Learn more Press Press “Sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman Wired Learn more Press Press "The software ecosystem is in dire need of something like [sigstore] to report the state of the supply chain." Lawrence Abrams Bleeping Computer Learn more Blog post Blog post “We need to make it possible to verify provenance along the entire chain and the goal of the Sigstore effort is to enable just that.” Ryan Hurst Google Production Security Team Learn more Integration: KPACK Integration: KPACK An integration to sign images . . . and push the signatures to a registry so that users can ensure the chain of custody of a generated artifact. Learn more Case Study: NPM Case Study: NPM “How to verifiably link npm packages to their source repository and build instructions.” Brian DeHamer, Philip Harrison GitHub Package Security Team Learn more Blog Post Blog Post "An open source community coming together to collaborate and develop a solution to ease the adoption of software signing..." Luke Hinds Co-creator, sigstore & Senior Principal Software Engineer, Red Hat Learn more Case Study: Stacklok Case Study: Stacklok We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore... Learn more Press Press “Sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman Wired Learn more -------------------------------------------------------------------------------- NEWS & EVENTS View more news SigstoreCon 24 - Software Supply Chain Event, November 12, 2024. Utah, USA news Sep 14, 2024 • See more Sigstore - Simplifying Code Signing for Open Source Ecosystems news Nov 21, 2023 • See more Wind River Further Expands VxWorks RTOS Containers Leadership with Cosign Support news Nov 1, 2023 • See more JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source security drive news Oct 5, 2023 • See more Sigstore support in npm released in public beta release Apr 19, 2023 • See more View more news HELP BUILD A SAFER FUTURE WITH US. View the project * * * Blog * GitHub * Twitter * Slack Copyright © 2023 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy, Terms of Use, Hosted Project Tools Terms of Use and Immutable Record notice. * Overview * Community * How sigstore works * Trust and security * Docs * Status * Blog * GitHub * Twitter * Slack