Sigstore: A Solution to Software Supply Chain Security

This page summarizes the projects mentioned and recommended in the original post on dev.to
supply-chain provenance Security transparency-log

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • community

    General sigstore community repo (by sigstore)

    • All of these tools have their pros and cons and could be combined and extended to provide stronger security. For more details about this you can checkout document in sigstore's community repository (see Further Work section).

  • cosign

    Code signing and transparency for containers and binaries

    • cosign is a container signing tool. Its responsibility is to sign containers and publish that information to OCI registries. In the above process that matches the steps 1, 5, 6 and 7.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • fulcio

    Sigstore OIDC PKI

    • fulcio is a root CA for code signing certs. Its job is to issue code-signing certificates and to embed OIDC identity into code-signing certificate. From this description we can see that it performs these tasks in steps 2, 3, 4 and 8.

  • rekor

    Software Supply Chain Transparency Log

    • rekor is the transparency log. It's append-only, immutable ledger that serves as transparent source of truth of what was signed by whom.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • PGP signatures on PyPI: worse than useless

    1 project | /r/programming | 22 May 2023

  • Show HN: Seal – Verifiable timestamp for your private ideas

    4 projects | news.ycombinator.com | 5 Jun 2022

  • Another NPM Package Is Highjacked

    1 project | news.ycombinator.com | 27 Oct 2021

  • Signing Software The Easy Way with Sigstore and Cosign

    3 projects | dev.to | 2 Sep 2021

  • Secure Supply Chain – Transparency Log

    1 project | news.ycombinator.com | 19 Aug 2021