Sigstore will help sign and verify software with minimal overhead and complexity.
In a bid to secure the open source software supply chain, the Linux Foundation, together with Red Hat, Google, and Purdue University have combined to launch a new project to help developers cryptographically sign their software. Considering the constant increase in the rate of industrial adoption of open source software, the project, called sigstore, aims to prevent an attack on a public software repository from injecting tainted code in the supply chain. “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.
