Chainguard, in collaboration with the Linux Foundation and OpenSSF, has announced a new Sigstore course to educate the industry on how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. Titled Securing Your Software Supply Chain with Sigstore, it is written by Lisa Tagliaferri and John Speed Meyers of Chainguard.
Building and distributing software that is secure throughout its entire lifecycle can be challenging, leaving many projects unprepared to build securely by default. Attacks and vulnerabilities can emerge at any step of the chain, from writing to packaging and distributing software to end users. Sigstore is one of several innovative technologies that have emerged to improve the integrity of the software supply chain, reducing the friction developers face in implementing security within their daily work. It was started to improve supply chain technology for anyone using open source projects.
The course is for anyone new to Sigstore and its sub-projects. It will introduce you to Cosign, Fulcio, and Rekor, the tools under the Sigstore umbrella, explaining how they support a more secure software supply chain. You will learn how to employ these tools throughout your software development, testing, and distribution processes.
Additionally, those who use or implement your software will be able to verify its authenticity through tamper-resistant public logs.