At SigstoreCon, the Sigstore community announced the general availability of its free software signing service giving open source communities access to production-grade stable services for artifact signing and verification. Sigstore provides a set of tools designed to improve supply chain security by making it easy to sign, verify and check the software developers are building and consuming.
In the face of increasing software supply chain security concerns, Sigstore is quickly becoming one of the fastest adopted open source technologies in history. To date over 4 million signatures have been logged using Sigstore and two of the world’s largest open source communities, Kubernetes and Python, have adopted Sigstore’s wax seal of authenticity by signing their production releases with Sigstore.
Most recently, npm announced they are actively working to integrate Sigstore, so all npm packages can be reliably linked to their source code and build instructions.
The Sigstore community will operate the service with a 99.5% uptime SLO and round-the-clock pager support. Project sponsors Google, Red Hat, GitHub, and Chainguard, among others, have helped make this possible by providing the resources to support the service level objectives. Over 70 organizations are actively involved in maintaining and scaling Sigstore.