|
|
Log in / Subscribe / Register

The Linux Foundation's "sigstore" project

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:13 UTC (Thu) by mss (subscriber, #138799)
Parent article: The Linux Foundation's "sigstore" project

Looks to me like it is essentially a centralized PGP Web of Trust or TOFU database replacement specifically for signing packages.

That is, instead of calculating the trust of the PGP key that signed a release of some package using the aforementioned trust methods the signature will be checked directly in a centralized log.

to post comments

The Linux Foundation's "sigstore" project

Posted Mar 12, 2021 22:06 UTC (Fri) by Jan_Zerebecki (guest, #70319) [Link]

Not even that, the sigstore-with-oauth sketched in the article will not tell you whether you should trust code that their DB says was signed by lwn@example.com . So you will still need to maintain some sort of trust DB in addition to this sigstore to answer that question.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds