2 years ago

Category: Software, Security, Privacy, Infrastructure, automation, artificial-intelligence

At the event, Chris Wright, senior vice president and Chief Technology Officer of Red Hat discussed Sigstore, a relatively new digital signing security method for securing software supply chains. The answer to securing software supply chains lies in digitally-signing the various artifacts that comprise applications, from binaries and containers to aggregated files (like tarballs) and software-bills-of-materials (SBOM),” wrote Luke Hinds, Security Engineering Lead in the Office of the CTO at Red Hat, in a blog post.

Sigstore offers a method to enhance security for software supply chains in an open, transparent and accessible manner, Wright said in a keynote at the OSS event.

By building on a clever composition of existing technologies that respect privacy and work at scale, Sigstore is the core infrastructure needed to solve the fundamental problem of ensuring the security of the open source software ecosystem without undermining the open, decentralized collaboration that makes it work, said Mike Malone, CEO of Smallstep, in the Google team’s post. Transparency, partnership and trust are three important words that should be familiar to everyone who’s involved in open source communities and software development, Wright said.