Billy Lynch, Zack Newman discuss the architecture and internals of Sigstore and keyless signing, along with the security considerations that drove the design.

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

Sigstore is an open-source project that aims to make software signing easy and readily available for people to use. It integrates with existing key management solutions and introduces the concept of keyless signing, focusing on identities rather than individual keys. Sigstore is widely supported in open-source software but not widely used. It offers improvements in key management, compromise detection, revocation, and identity verification. Many organizations, including Kubernetes, npm, and CPython, are already using Sigstore.

Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Challenges with Traditional Signing (Recap)