Linux Foundation Debuts Sigstore Project for Software Signing
Yesterday, the Linux Foundation announced that it was launching a new nonprofit initiative that seeks to improve open source software supply chain security called Sigstore. Sigstore’s primary purpose is to make it easier for developers to add cryptographic signing capabilities for different components of the software development process.
Linux also stated that Sigstore will be a free service offered to software providers and developers in order to improve the cybersecurity practices of supply chains associated with the development process. The providers can use Sigstore’s offerings to securely sign software artifacts such as release files, binaries, and container images. Signed materials are then sealed in a tamper-proof public log.