Open source software tools and services are often created quickly and out of necessity. Linus Torvalds, for example, created the first version of git in a weekend when the Linux kernel team could no longer use BitKeeper for Source Control Management.
sigstore was created earlier this year to address the massive gap for an easy, trustable and efficient digital signing tool to confirm the provenance (origin) of software. Since March 2021 sigstore has been growing rapidly and is being used for various projects. This includes Kubernetes, one of the world’s largest open source projects.
But like Let’s Encrypt and the Linux Kernel, sigstore requires resources. Building the first version of the tool is different from bringing together resources to enable widespread adoption and support it for the long term. That’s why we’re excited to announce today that the project has received generous contributions from Chainguard, Cisco, HPE, Google, Red Hat and VMware to conduct an extensive security audit and hire a full-time developer relations engineer.
The reality is that today the majority of software isn’t digitally signed. Without signatures, there’s little evidence of the software’s provenance, so most software consumed is cryptographically untrusted. With sigstore, developers can digitally sign containers, artifacts, config-as-code, policy, and any given computer file. sigstore has the potential of becoming to digital signing what Let’s Encrypt is to HTTPS.
“By working to eliminate the requirements for specialized skills in cryptography, sigstore is committed to establishing trust and transparency in the open source supply chain. Removing this exclusivity is key to increasing developers’ access to cryptographic signing and creating an open log for accountability. Red Hat is proud to support sigstore’s constant commitment to open source in the supply chain security space,” said Luke Hinds, Senior Principal Software Engineer, Red Hat.