https://www.sigstore.dev/, the open source software signing service, is now available to everyone that needs to prove to a customer what’s what in their code. Which, by the way, is pretty much every commercial software developer on the planet.
It forced us to realize we had to really secure our software source code, supply chain security.
It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries.
Most recently, https://thenewstack.io/npm-to-adopt-sigstore-for-software-supply-chain-security/, Because of Sigstore, https://www.linkedin.com/in/brianbehlendorf/, OpenSSF’s General Manager, said, “Signatures on software components are an essential part of securing the global software supply chain.