Question about #sigstore

One of the uses of transparency logs is to find sneaky deployments; maybe most of the time a package is doing what you expect, but every once in a while there's a malicious version, just for a few minutes, so it's unlikely to be found in spot checks.

Is is possible to retrieve a list of all the digests signed by a particular identity, or all the signatures on a particular registry prefix? Docs talk a lot about efficient inclusion proof given a signature but not that.

How to sign images and artifacts on GitLab CI

https://docs.gitlab.com/ee/ci/yaml/signing_examples.html

#sigstore #gitlabci #gitlab #cosign #securesoftwaresupplychain

Happy friday! 🎉 Just published the report for this week, updates on #CNA registration for @ThePSF, #Sigstore for #Python artifacts, and other updates.

https://sethmlarson.dev/security-developer-in-residence-weekly-report-5

The #Sigstore signatures for #Python are now completely verifiable as documented, thanks to all the release managers who helped make this happen!

https://www.python.org/download/sigstore

https://github.com/sethmlarson/verify-python-release-signatures/

My colleagues just published an awesome ~50m demo diving into supply chain security, #SLSA, and "automated governance", with #sigstore. It's detailed, practical stuff that I think practitioners will enjoy --- and all the repos are public!

https://youtu.be/63XD4j5BCYE

https://github.com/search?q=org%3Aliatrio+topic%3Aautomated-governance+visibility%3Apublic&type=repositories&s=updated&o=desc

The recording for my @devconf_cz talk « An introduction to #Sigstore for Pythonistas » is available 💡 https://youtu.be/3wgdyGB5KnI

Join me at #devconf_cz next week and discover how to secure your Python projects with #sigstore 🔐 @devconf_cz https://sched.co/1MYhQ

🛎️🚨In case you missed this folx, do not forget to register for this event unless you miss talks about #SBOM, #Sigstore, #SLSA, and many more and it is FREE for virtual attendances, what are you waiting for go and register! 🥳
#openssf #theopenssf #openssfday
https://events.linuxfoundation.org/openssf-day-north-america/register/

SigStore is all the rage, and there appears to be a rubygems plugin for it, but it still says it's under development and hasn't had a commit in a while. Does anyone sign rubygems using sigstore?
https://github.com/sigstore/sigstore-ruby
#sigstore #ruby

It makes me so happy to see #sigstore mentioned at #pycon! There's still a long road to make this as easy as verifying when doing a `pip install foo`, but this is great progress. 🙌

More fun with Sigstore for your apt-get update, now with cosign verification. #sigstore https://blog.josefsson.org/2023/04/20/sigstore-for-apt-archives-apt-cosign/

“npm packages built on a cloud CI/CD system (like GitHub Actions) can now publish with provenance, meaning the package has verifiable links back to its source code and build instructions.”

https://github.blog/changelog/2023-04-19-npm-provenance-public-beta/

#npm #SupplyChain #provenance #ReproducibleBuilds #GitHub #DevSecOps #SigStore #JavaScript #NodeJS #PackageManagement

Have a sneak preview of apt-sigstore - which glues together Sigstore rekor logging and "apt-get update" in Trisquel GNU/Linux and the rest of the apt eco-system. #trisquel #gnu #sigstore #rekor https://gitlab.com/debdistutils/apt-sigstore

Heard about #SigStore? Wanna learn how to use it? Join the tutorial in Room 107 starting in 10 minutes. #kcd #kcdla #Scale20x @socallinuxexpo

This is a really great blog post by the Virtru Platform Engineering team which they talked about the strategies to secure their software supply chain by using open-source tools @sigstore
@kyverno🥇

#cosign #sigstore #projectsigstore #kyverno #softwaresupplychainsecurity #supplychainsecurity

https://www.virtru.com/blog/securing-kubernetes-how-we-streamline-sign-and-verify-with-cosign-and-kyverno

🎊I'm super glad to announce that @sigstore #cosign v2.0.0 was released officially!

☝️There were lots of🌱amazing features, 🐛bug fixes, and✨improvements included in that release!

🥇Another important milestone was achieved for the #sigstore team.

https://blog.sigstore.dev/cosign-2-0-released/

Congrats to the #sigstore maintainers on the #cosign v2 release!
https://blog.sigstore.dev/cosign-2-0-released/

Java always holds a special place in my heart and its great to see #sigstore supporting this ecosystem! #SignTheWorld

RT @projectsigstore@twitter.com

Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore https://blog.sigstore.dev/towards-easier-more-secure-signature-technology-for-the-java-ecosystem-with-sigstore-60d6a02490a8

🐦🔗: https://twitter.com/projectsigstore/status/1621960159797907456

Time to get this #kubernetes #supplychain lab with #sigstore up and running for Civo Navigate.

Interested in running @projectsigstore@twitter.com locally? helped develop a guide that describes everything that you need to know to get started #sigstore #transparency #supplychain #signing #trust https://blog.sigstore.dev/a-guide-to-running-sigstore-locally-f312dfac0682