Sigstore founded in March 2021, (OSS) Open-source software is pervading, around 90% companies are using OSS. During the rising software supply chain attacks, it was observed the fragility of projects that the world depends on. Major industry and government bodies are partnering to secure the cloud-native software supply chain and protect these core projects.

Today, Kubernetes and Sigstore announced that they are adopting Sigstore production through signing artifacts and validate signatures and permit Kubernetes users to verify the distribution according to its claims.

Last year, Sigstore got introduced and software developers are provided with free signing service which improves the security of the software supply chain. It allows the easy adoption of cryptographic software signing supported through transparency log technologies.

According to Wired, It has immediately become the standard for verifying, signing and protecting software for its ability to operate digitally signing and examine software artifacts, allowing software to have a secure and safer chain of custody which can be traced back to origin.

Sigstore supply chain

(OSS) Open-source software is being used by 90% companies.

It was released Kubernetes 1.24 and all further releases will include cryptographically signed Sigstor certificates which will allow the users with the ability to confirm signatures and have high confidence in the origin of every deployed Kubernetes binary, this source code are in a bunch and container image.

Head of open source at Chainguard, Tracy Miranda mentions it is a huge step in securing the integrity of the ecosystem of Kubernetes and illustrates code signing at an enormous scale possibility and necessity due to the increase in supply chain attacks.

Red Hat at Security Engineering lead and Kubernetes Security Response Team and founder of the Sigstore Project, Luke Hinds mentions it is great to see adoption of Sigstore and with a project such as Kubernetes that runs critical workloads that need the highest protection.

Sigstore TSC member and Google Software Engineer staff, Bob Callaway mentions, Kubernetes is known and widely has adapted the open source project and inspires other open source projects to build their software supply chain security by SLSA levels and signing with Signstore.

Sigstore supply chain

SLSA brought improvement in Kubernetes software supply chain.

They develop Sigstore to be free, easy and seamless for the massive audience to adopt and protect them all from supply chain attacks. Kubernetes’ envisioned choice to use Sigstore is a testament that work.

Early 2021, Kubernetes release team began the exploration of SLSA compliance to upgrade and improve the Kubernetes software supply chain security. SLSA is known to be a security framework which includes standardized checklists and manages to prevent tampering, secure packages and infrastructure in projects and improve integrity. The key project of Sigstore was in accomplishing SLSA level 3 compliance that Kubernetes community envisions to reach by this August.

This latest announcement and partnership across open source communities made it possible and made the awareness in industry that software supply chains and open source projects disclose about the critical area in which they must work to improve. This security is a continuous journey but every step delivered to lesser attackers’ ability and weakened the integrity of their supply chain, as mentioned by Tim Pepper, Head of Open Source Technology Center at VMware and Emeritus SIG Release Lead, Kubernetes steering committee.