sigstore: How We Started, Where We Are, Where We are Headed - Bob Callaway, Red Hat & Dan Lorenc, Google
Abstract
sigstore is a project under the Linux foundation to provide a non profit , public good software security cryptographic signing service. You can think of it like the ‘Lets Encrypt’ for software signing. If you have not heard of it yet, you certainly will soon. sigstore is used to protect kubernetes release container images and verify them directly in kubernetes release infrastructure. Many other communities are also in the process of looking at how they can implement sigstore (python, rubygems, wasm, maven). The sigstore community is made up of security experts from the communities such as TUF, Kubernetes, in-toto and engineers from Red Hat, Google, Smallstep, VMWare and many more.