Sigstore: Signature verification for protection against supply chain attacks

Software supply chain attacks have been increasing over the past few years, spurring the Biden administration to release an executive order detailing what government agencies are supposed to do to protect themselves against them.

These attacks consist of several different types of threats, but the result is always the same: attackers gaining access to run code on your infrastructure or to tamper with the code that you’re using in production.

The Sigstore project aims to help address different threats by building a new standard for signing, verifying and protecting software. It helps make sure your software is what it claims to be.

In this video for Help Net Security, Dan Lorenc, CTO at Chainguard, talks about the Sigstore project and how it was used to secure the Kubernetes 1.24 release.