Sigstore – A new standard for signing, verifying and protecting software

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • rekor

    Software Supply Chain Transparency Log

  • cargo-crev

    A cryptographically verifiable code review system for the cargo (Rust) package manager.

    The reviewing aspect sounds a lot like cargo-crev. [1]

    [1] https://github.com/crev-dev/cargo-crev

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • Rustup

    The Rust toolchain installer

    This is pretty cool and i think one of the good application areas of distributed ledger technology.

    Signing is still a hard problem, even for established projects like Rust. Right now, rustup does not verify signatures in any way or form. The security is solely thanks to https and the S3 bucket not being compromised.

    https://github.com/rust-lang/rustup/issues/2028

    https://github.com/rust-lang/rustup/issues/2027

  • fulcio

    Sigstore OIDC PKI

    Did you follow the link to the project list on Github? The actual tool for doing the signing, cosign, is just a binary you can install on your device and generate signatures and keys yourself. The "service" part of it seems to just be having your public certificate vouched for by a trusted code signing CA. I don't see anything in the tooling that requires your users to only trust that CA. If you want to sign your cert with your own CA and tell your users to trust that instead, they seemingly can do that, just as you can do that today in browsers. That you can't do it with Firefox extensions and mobile app stores is a limitation intentionally built into the distribution channel. It's not a limitation of PKI itself. iOS, Android, and Mozilla could have chosen to let users install arbitrary trusted CAs. You shouldn't dismiss all PKI based on the fact that a few vendors have chosen to implement it in a crappy way to make walled gardens.

    It doesn't say this on the announcement, but looking at the actual PKI service (https://github.com/sigstore/fulcio), it seems to be entirely possible to self-host the service and roll your own CA.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts