Sigstore is an open-source project that aims to make software signing easy and readily available for people to use. It integrates with existing key management solutions and introduces the concept of keyless signing, focusing on identities rather than individual keys. Sigstore is widely supported in open-source software but not widely used. It offers improvements in key management, compromise detection, revocation, and identity verification. Many organizations, including Kubernetes, npm, and CPython, are already using Sigstore.
Table of contents
TranscriptWhy Software Signing?Software Signing TodayChallenges with Traditional SigningSigstore (Goals)Sigstore - Keyless SigningDemoKubernetes Admission ControllersChallenges with Traditional Signing (Recap)Why Do We Trust Sigstore?The Role of Identity ProvidersCase Study - Verifying ImagesCase Study - npmWhat You Should DoQuestions and AnswersSort: