concept

Sigstore

Facts (10)

Sources

bureado/awesome-software-supply-chain-security - GitHub github.com GitHub 10 facts

referenceThe FOSDEM 2024 presentation 'SBOMs that you can trust: The Good, The Bad and the Ugly' covers SBOM trustworthiness across generation, storage, distribution, and processing using in-toto attestations, SLSA, CAS, and Sigstore.

referenceChainloop documentation provides a guide titled 'Software Supply Chain Attestation the Easy Way' which details the attestation lifecycle including init, add, and push operations, and explains the Sigstore bundle format.

referenceKubewarden is a Kubernetes policy engine that utilizes sigstore to sign and verify its WebAssembly policies, enabling policy authors to leverage sigstore verification capabilities within their policies to validate OCI artifacts.

referenceThe pacman-bintrans project by kpcyrd provides experimental binary transparency for the pacman package manager using sigstore and rekor.

referenceThe OpenSSF Landscape includes a Sigstore-specific view.

referencesns45/forgeseal is a supply chain security command-line interface for JavaScript and TypeScript that generates CycloneDX Software Bill of Materials (SBOMs), signs them using Sigstore keyless signing, produces SLSA v1 provenance attestations, and triages vulnerabilities using OSV.dev.

claimSbomify is an SBOM platform that supports attestation verification using Sigstore and GitHub attestations, SPDX 2.3 export, product lifecycle management, and compliance tracking.

referenceSigstore is composed of the components Cosign, Fulcio, and Rekor.

claimKubernetes utilizes Sigstore to prevent open-source software supply chain attacks.

referencestacklok/toolhive is an MCP server deployment platform that supports Sigstore-based provenance verification and attestation for container images and binaries.