Skip to content

Commit

Permalink
November 23 Project Update (#53)
Browse files Browse the repository at this point in the history
* November 23 Project Update

Note, news was gathered with Google News 1 Oct 2023 – 30 Nov 2023

From now on, will limit to a month

Signed-off-by: Luke Hinds <[email protected]>

* Add openssf blog

Signed-off-by: Luke Hinds <[email protected]>

* Update content/sigstore-november-roundup-2023.md

Co-authored-by: Bob Callaway <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>

* Review additions

Signed-off-by: Luke Hinds <[email protected]>

---------

Signed-off-by: Luke Hinds <[email protected]>
Co-authored-by: Bob Callaway <[email protected]>
  • Loading branch information
lukehinds and bobcallaway authored Dec 4, 2023
1 parent c77c11c commit 5e25e04
Showing 1 changed file with 119 additions and 0 deletions.
119 changes: 119 additions & 0 deletions content/sigstore-november-roundup-2023.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
+++

title = "Sigstore November Roundup"
date = "2023-11-30"
tags = ["sigstore","securesupplychain"]
draft = false
author = "Luke Hinds (TSC Chair)"
type = "post"

+++

Welcome to the November edition of the Sigstore Roundup! This is a regular summary of Sigstore news, events, releases and other happenings.

### Sigstore Google Season of Docs 2023 Case Study

A very comprehisive case study has been published on the [Sigstore docs wiki](https://github.com/sigstore/docs/wiki/Sigstore-Google-Season-of-Docs-2023-Case-Study) about the Sigstore project's participation in the 2023 program.

Thank you Lisa Tagliaferri for all your hard work on this and making it a success!

### Latest Releases

#### Rekor v1.3.3

Rekor’s aims to provide an immutable tamper-resistant ledger of metadata generated within a software projects supply chain.

Check out the last major release [v1.3.1](https://github.com/sigstore/rekor/releases/tag/v1.3.1), made since we last updated you.

- Enable GCP cloud profiling on rekor-server
- Move index storage into interface
- Add type of ed25519 key for TUF
- Allow parsing base64-encoded TUF metadata and root content

#### Cosign v2.2.1

Cosign is container signing, verification and storage in an OCI registry. Its latest release is [v2.2.1](https://github.com/sigstore/cosign/releases/tag/v2.2.1).

Some of the main new features include:

- Support basic auth and bearer auth login to registry
- COSIGN_PKCS11_IGNORE_CERTIFICATE environment variable to skip loading certificates into a PKCS11 key when set to "1".
- Cosign triangulate now supports image digest retrieval from OCI registries
- Attach rekor bundle to a container image
- Add support outputting rekor response on signing

#### Gitsign v0.8.0

Keyless Git signing with Sigstore! Its latest release is [v0.8.0](https://github.com/sigstore/gitsign/releases/tag/v0.8.0).

What’s changed:

- Add options for Rekor client, make public key fetcher configurable.
- Add gitsign initialize. (#321)
- Fix offline verification marshalling, add e2e tests.

### Sigstore Libraries

Le'ts take a look at the latest releases / updates of the Sigstore libraries.

#### sigstore-rs v0.7.3

A Rust library for interacting with Sigstore. Its latest release is [v0.7.3](https://github.com/sigstore/sigstore-rs/releases/tag/v0.7.3).

What’s changed:

- sigstore-rs now supports use of a TUF trustroot. This allows for the use of a TUF repository as a trust root for verifying signatures.

#### sigstore-java v0.5.0

Lots of new changes in the sigstore java library. Its latest release is [v0.5.0](https://github.com/sigstore/sigstore-java/releases/tag/v0.5.0)

What’s changed:

- BYOB-based SLSA-generator
- pkix der encoded key parsing
- Add accessors to trustroot

#### sigstore-go

While not at its first release, development on the Go library is still ongoing!

Do check it out where there a lots of examples on using the library [see here](https://github.com/sigstore/sigstore-go#examples)

### sigstore-python

The Python library is also still under active development. Check out the last major release [v2.0.0](https://github.com/sigstore/sigstore-python/releases/tag/v2.0.0), made since we last updated you.

- CLI: sigstore sign and sigstore get-identity-token now support the
--oauth-force-oob option; which has the same behavior as the
preexisting `SIGSTORE_OAUTH_FORCE_OOB` environment variable
- Version 0.2 of the Sigstore bundle format is now supported
- API addition: VerificationMaterials.to_bundle() is a new public API for
producing a standard Sigstore bundle from sigstore-python's internal
representation
- API addition: New method sign.SigningResult.to_bundle() allows signing
applications to serialize to the bundle format that is already usable in
verification with verify.VerificationMaterials.from_bundle()

### sigstore-js

The JavaScript library (used to power NPM provenannce) is also still under
active development. Check out the last major release [2.1.0](https://github.com/sigstore/sigstore-js/releases/tag/sigstore%402.1.0)

sigstore-js is one of the our more mature libraries now, so changes are mostly
bug fixes and minor improvements.

### In the News

- JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source security drive [read more](https://www.thestack.technology/jpmorgans-global-ciso-use-sigstore-alpha-omega/)
- Sigstore: Simplifying Code Signing for Open Source Ecosystems [read more](https://openssf.org/blog/2023/11/21/sigstore-simplifying-code-signing-for-open-source-ecosystems/)
- Stacklok Builds on Sigstore to Identify Safe Open Source Libraries [read more](https://thenewstack.io/stacklok-builds-on-sigstore-to-identify-safe-open-source-libraries/)
- Wind River Further Expands VxWorks RTOS Containers Leadership with Cosign Support [read more](https://www.busistacklnesswire.com/news/home/20231101614010/en/)

### Join the Community!

New contributors and users are always welcome into our community. We take pride in being friendly to new folks and fostering a welcoming and safe environment. Being a large open source project, there is always so much to do, not all of them being complex coding tasks.

Valued contributions include: helping with documentation, general testing, and sharing your love of Sigstore with others.

Join our [Slack workspace](https://join.slack.com/t/sigstore/shared_invite/zt-mhs55zh0-XmY3bcfWn4XEyMqUUutbUQ) and come say hello! 👋

0 comments on commit 5e25e04

Please sign in to comment.