3 years ago

With the release of https://kubernetes.io/ 1.24 on May 4, for the first time, over five million Kubernetes developers can verify that the distributions they’re using are what they claim to be. That’s because with this release Kubernetes is adopting https://www.sigstore.dev/ for signing artifacts and verifying signatures.

All too often software components are poisoned, and every program built on them wither and die with them.

It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries.

In early 2021, the crew began exploring https://slsa.dev/, pronounced salsa) compliance to improve Kubernetes software supply chain security.