Sigstore Project Aims to Secure Software Supply Chain

The new sigstore project, recently announced by the Linux Foundation, aims to improve the security of the software supply chain by allowing developers to securely sign software components.

According to the announcement, the public, non-profit, software-signing service “will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community,” which includes founding members Red Hat, Google, and Purdue University.

"sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.