sigstore: A new standard for signing, verifying and protecting software

[will-ww]

官方网站：https://www.sigstore.dev/

Vision

sigstore was started to improve supply chain technology for anyone using open source projects. It's for open source maintainers, by open source maintainers.
And it's a direct response to today’s challenges, a work in progress for a future where the integrity of what we build and use is up to standard.

How sigstore works

sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

• A standardized approach

This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious.

• Building for future integrations

With the help of a working partnership that includes Google, the Linux Foundation, Red Hat and Purdue University, we’re in constant collaboration to find new ways to improve the sigstore technology, to make it easy to adopt, integrate and become a long-lasting standard.

[wangleo61]

这个有点意思哈，貌似是未了解决供应链的问题哈，构建可信的安全生态，通过技术手段Fulcio,Rekor来做数字认证前面，然后把各个玩家一起拉进来，构建生态和流程，动作好快呀，貌似微软没来呢，难道是因为Google在么：）