https://deploy-preview-426--docssigstore.netlify.app/about/Recent content in About onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-426--docssigstore.netlify.app/about/overview/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/overview/Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.https://deploy-preview-426--docssigstore.netlify.app/about/tooling/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/tooling/Sigstore combines several different technologies that focus on automatic key management and transparency logs. They can be used independently or as one single process, and together they create a safer chain of custody tracing software back to the source. Cosign # Tool for signing/verifying containers (and other artifacts) that ties the rest of Sigstore together, making signatures invisible infrastructure. Includes storage in an Open Container Initiative (OCI) registry. Review Cosign’s command line interface on GitHub.https://deploy-preview-426--docssigstore.netlify.app/about/security/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/security/The Sigstore security model has a few key components, each aimed at establishing trust or proving identity. For a quick overview of the key services mentioned in this document, see Tooling. Proving Identity in Sigstore # Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like cosign sign, users will complete an OIDC flow and authenticate via an identity provider (GitHub, Google, etc.) to prove they are the owner of their account.https://deploy-preview-426--docssigstore.netlify.app/about/threat-model/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/threat-model/Introduction # What types of security analysis have you done on Sigstore? This page contains the results of a threat modeling exercise on Sigstore. First, we enumerate the components of Sigstore along with third parties and infrastructure that it uses during the “keyless” signing and verification flows. Second, we postulate an attacker that can compromise various subsets of these parties. Finally, we analyze the impact of such an attacker on these security properties.https://deploy-preview-426--docssigstore.netlify.app/about/bundle/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/bundle/Last updated January 14, 2025 Version 0.3.2 This document describes the data structure for storing Sigstore signatures generated by tooling working in the context of the Sigstore Public Instance. It includes json examples of serialized bundles of the current bundle format version. It may exclude descriptions of parameters that continue to exist for compatibility reasons or for private use cases. For a full description of the format, the formal schema and information about language library support see sigstore/protobuf-specs.https://deploy-preview-426--docssigstore.netlify.app/about/api-stability/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/api-stability/This document covers API stability and the deprecation policy for Sigstore APIs and client libraries. What does this cover? # The deprecation policy encompasses: The client API for Fulcio The client API for Rekor Features provided by Cosign The sigstore/sigstore client library The cosign/pkg/oci client library What are the different API stability levels? # There are three levels of stability and support: Experimental Features may be shipped with bugs Feature is not yet recommended for production use Beta Features will be available for the next few releases Generally Available The feature will be available and supported What is the deprecation policy at each level?https://deploy-preview-426--docssigstore.netlify.app/about/the-importance-of-verification/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/the-importance-of-verification/A note on verification # As we learned in the Sigstore overview, the Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts (release files, container images, attestations, SBOMs, etc). With so many tools, and the ability to sign so many types of software artifacts, it could be easy to focus on the details of how to use the project and miss the larger picture of what Sigstore is trying to accomplish.https://deploy-preview-426--docssigstore.netlify.app/about/contributing/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/contributing/Contributing as a developer # To contribute to Sigstore as a developer, check out the following repositories for developer information on the various Sigstore projects: Cosign Rekor Fulcio Sigstore clients # Go: sigstore/sigstore-go sigstore/sigstore Sigstore Go meeting notes Python: sigstore/sigstore-python Java and Maven: sigstore/java sigstore/sigstore-maven sigstore/sigstore-maven-plugin Sigstore Java meeting notes JavaScript: sigstore/sigstore-js Rust: sigstore/sigstore-rs Ruby: sigstore/sigstore-ruby Contributing to the documentation # Sigstore welcomes documentation contributions. Please see the docs repository README for more information on how to run the documentation locally, contribute to the project, and for general technical writing information.https://deploy-preview-426--docssigstore.netlify.app/about/support/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/support/If you are not able to find the relevant information to solve your issue, you can still get help from the Sigstore community! This page describe how you could get in touch with us to get support. Help from the community # Sigstore has a Slack community, and you can request an invite at this link. Please post any support requests in the #general channel. Help from project maintainers # Each repository has a CODEOWNERS file describing current maintainers.https://deploy-preview-426--docssigstore.netlify.app/about/doc_locations/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/about/doc_locations/This document describes where to house new Sigstore documentation based on topic and intended audience. The location for Sigstore repositories and associated documentation is at http://github.com/sigstore. Documentation for Sigstore falls under two main categories: Documentation for Sigstore users: those who want to sign or verify artifacts or create integrations with using tooling. Documentation for Sigstore Developers: those who are changing the modules (Cosign, Rekor, etc.) of Sigstore, adding support for new languages, or implementing new features for the Sigstore suite of tooling.