Today, at SigstoreCon, a co-located event at the CNCF’s KubeCon/CloudNativeCon conference in Detroit, the Sigstore community announced the general availability of its free software signing service for open source projects. Sigstore is already one of the fasted adopted open source projects ever, with more than 4 million signatures logged so far. Both the Kubernetes and Python communities use it to sign their releases. And npm, the popular JavaScript package manager, is currently in the process of integrating Sigstore to ensure the provenance of its packages. Screen-Shot-2022-10-25-at-7.20.22-PM “Sigstore has rapidly become the standard for signing, verifying, and protecting software, so it’s great to announce the general availability to remove one last barrier for more widespread adoption during a time when software supply chain security is more important than ever,” said Priya Wadhwa, a member of the Sigstore Technical Steering Committee and software engineer at Chainguard. “It is our hope that this next phase of Sigstore will empower the rest of the open source software ecosystem to gain increased confidence in adopting this technology and benefit from its reliable and stable experience.” The Sigstore community promises a 99.5% uptime and pager support — more than most free projects can offer. Sigstore, it’s worth noting, is a nonprofit project that is funded under the Open Source Security Foundation. Sigstore itself consists of a number of projects for signing containers, saving that information in an immutable ledger and, of course, creating those certificates in the first place. Sigstore launches free software signing and verification service for open source projects by Frederic Lardinois originally published on TechCrunch
