Sigstore is a standard for signing, verifying, and protecting open source software. With increased industry attention being given to software supply chain security, including the recent Executive Order on Cybersecurity, the ability to know and trust where software comes from has never been more important. Sigstore simplifies and automates the complex parts of digitally signing software—making this more accessible and trustworthy than ever before.
Beginning in 2020 as an open source collaboration between Red Hat and Google, the Sigstore project has grown into a vendor-neutral, community operated and designed project that is part of the Open Source Security Foundation (OpenSSF). The ecosystem has also continued to grow spanning multiple package managers and ecosystems, and now if you download a new release by open source projects like Python or Kubernetes, you’ll see that they’ve been signed by Sigstore.
Google is an active, contributing member of the Sigstore community. In addition to upstream code contributions, Google has contributed in several other ways:
- Core Sigstore services are built on Google-supported open source technologies, including Go, gRPC, Trillian and Certificate Transparency contributions.
- We’re a diamond sponsor of this year’s SigstoreCon.
- As part of Google’s commitment to advancing cybersecurity, we’re supporting foundations, such as the OpenSSF, by pledging $100 million to fix open source vulnerabilities and oversee open source security priorities.
By Dave Lester – Google Open Source Programs Office, and Bob Callaway – Google Open Source Security Team