Signing Software The Easy Way with Sigstore and Cosign

This page summarizes the projects mentioned and recommended in the original post on dev.to
supply-chain provenance Security transparency-log

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • cosign

    Code signing and transparency for containers and binaries

    • Before we sign anything, we first need all the CLI tools for each of sigstore's components - that is cosign, fulcio and rekor. The first of them - cosign - which we need to actually sign anything, can be installed as binary or as Docker image. For the for first option, download the appropriate binary from release page and put it somewhere in your $PATH. Additionally, considering that we're dealing with security tooling, it's recommended to verify authenticity and integrity of the binary. You can do that using the commands shown on release page.

  • rekor

    Software Supply Chain Transparency Log

    • wget -O rekor-cli https://github.com/sigstore/rekor/releases/download/v0.3.0/rekor-cli-linux-amd64 chmod +x rekor-cli # Move it into $PATH directory... ./rekor-cli Rekor command line interface tool Usage: rekor [command] ...

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • sigstore-the-hard-way

    sigstore the hard way!

    • Also, if you want to dig even deeper, you can checkout "sigstore the hard way", which is a guide to setting everything up, for scratch - including fulcio CA and rekor transparency log server.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • PGP signatures on PyPI: worse than useless

    1 project | /r/programming | 22 May 2023

  • Show HN: Seal – Verifiable timestamp for your private ideas

    4 projects | news.ycombinator.com | 5 Jun 2022

  • Another NPM Package Is Highjacked

    1 project | news.ycombinator.com | 27 Oct 2021

  • Secure Supply Chain – Transparency Log

    1 project | news.ycombinator.com | 19 Aug 2021

  • Sigstore: A Solution to Software Supply Chain Security

    4 projects | dev.to | 16 Aug 2021