witness VS cas

We have lots of work to do. https://github.com/in-toto/witness

Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.

You may also want to look into Witness https://github.com/testifysec/witness

like Witness which helps attest that software was built with the process you’re trying to attest to it.

Verifying provenance across CI steps is what the in-toto project was designed to help with. We implement in-toto with our open-source projects, Witness and Archivist.

You can read more about their take on the Codenotary Blog. Codenotary is a pioneer in DevSecOps and immutability (https://github.com/codenotary/immudb) and offer developer friendly tools (check out the Community Attestation Service https://cas.codenotary.com/ amongst others) that make truly verifiable software supply chain security a reality–today. They have a far reaching vision and care deeply about ensuring that the software you run, build and use is software that you (and your users) can trust. Behind Codenotary also stands Moshe Bar, who is an open source visionary and brought Xen and KVM to the world. He’s been a lifelong staunch supporter of the Open Source community and his vote of confidence means the world to us. Codenotary’s support will help us to continue delivering for the community day in and day out, and we’ll be working together to continue to grow the CentOS ecosystem and make sure AlmaLinux is the secure base you can build your future on.

vcn, the command line tool to calculate and send data hashes as well as verifying the cryptographic proof: https://github.com/vchain-us/vcn

You can also download the latest release