Connecting with sigstore

Have you ever heard of sigstore? If not, you should learn all about it, as it's an important project from the Linux Foundation. From their About page;

sigstore will be a free to use non-profit software signing service that harnesses existing technologies of x509 PKI and transparency logs.

Users generate ephemeral short-lived key pairs using the sigstore client tooling. The sigstore PKI service will then provide a signing certificate generated upon a successful OpenID connect grant. All certificates are recorded into a certificate transparency log and software signing materials are sent to a signature transparency log. The use of transparency logs introduces a trust root to the users OpenID account. We can then have guarantees that the claimed user was in control of an identity service providers account at the time of signing. Once the signing operation is complete, the keys can be discarded, removing any need for further key management or need to revoke or rotate.

Using OpenID connect identities allows users to take advantage of existing security controls such as 2FA, OTP and hardware token generators.

sigstore’s transparency logs can act as a source of provenance, integrity, and discoverability. Being public and open anyone can monitor sigstore’s transparency logs for occurrences of their software namespace being used, perform queries using an artifact’s digest, return entries signed by a specific email address, public key, etc. Further to this, security researchers can monitor the log to seek out possible nefarious patterns or questionable behavior.

If that sounds like something that would help you to rest easier at night, perhaps you'd like to hear more about sigstore from the Red Hat Office of the CTO. Check out this video featuring Luke Hinds and Bob Callaway from the Red Hat Office of the CTO's Emerging Technologies team as they provide an overview of the project and discuss its future plans.