The Linux Foundation's "sigstore" project
The Linux Foundation's "sigstore" project
The Linux Foundation has announced
a project called sigstore; its purpose is
to protect against supply-chain attacks by signing (and verifying) release
artifacts. "Very few open source projects cryptographically sign
software release artifacts. This is largely due to the challenges software
maintainers face on key management, key compromise / revocation and the
distribution of public keys and artifact digests. In turn, users are left
to seek out which keys to trust and learn steps needed to validate
signing. Further problems exist in how digests and public keys are
distributed, often stored on websites susceptible to hacks or a README file
situated on a public git repository. sigstore seeks to solve these issues
by utilization of short lived ephemeral keys with a trust root leveraged
from an open and auditable public transparency logs.
"