Updates and recent posts about Sigstore..

Posts
Description

Story

@laura_garcia shared a post, 1 month ago

Software Developer, RELIANOID

𝗗𝗲𝘃𝗗𝗮𝘆𝘀 • 𝗗𝗲𝘃𝗢𝗽𝘀 𝗣𝗿𝗼 • 𝗖𝘆𝗯𝗲𝗿𝗪𝗶𝘀𝗲𝗖𝗼𝗻 𝗘𝘂𝗿𝗼𝗽𝗲

🚀 𝗗𝗲𝘃𝗗𝗮𝘆𝘀 • 𝗗𝗲𝘃𝗢𝗽𝘀 𝗣𝗿𝗼 • 𝗖𝘆𝗯𝗲𝗿𝗪𝗶𝘀𝗲𝗖𝗼𝗻 𝗘𝘂𝗿𝗼𝗽𝗲 𝘛𝘩𝘳𝘦𝘦 𝘤𝘰𝘯𝘧𝘦𝘳𝘦𝘯𝘤𝘦𝘴. 𝘖𝘯𝘦 𝘦𝘤𝘰𝘴𝘺𝘴𝘵𝘦𝘮. 𝘜𝘯𝘭𝘪𝘮𝘪𝘵𝘦𝘥 𝘪𝘯𝘯𝘰𝘷𝘢𝘵𝘪𝘰𝘯. From May 19–22, 2026, 𝗥𝗘𝗟𝗜𝗔𝗡𝗢𝗜𝗗 will join the unified experience of 𝗗𝗲𝘃𝗗𝗮𝘆𝘀, 𝗗𝗲𝘃𝗢𝗽𝘀 𝗣𝗿𝗼, and 𝗖𝘆𝗯𝗲𝗿𝗪𝗶𝘀𝗲𝗖𝗼𝗻 𝗘𝘂𝗿𝗼𝗽𝗲 in Vilnius. A unique event bringing together developers, DevOps engineers, cybersecu..

devdays_devops_pro_cyberwisecon_europe_vilnius_2026_relianoid

Activity

@harshilmalvi started using tool Microsoft Power Platform , 1 month ago.

Activity

@harshilmalvi started using tool CloudSuite , 1 month ago.

Activity

@mashka posted an event AI Is Already Inside Your SDLC. Now What? by Xygeni , 1 month ago.

Link

@mfahlandt shared a link, 1 month ago

Customer Delivery Architect, Kubermatic

Last Week in Cloud Native

Last Week in Cloud Native (LWCN) is a weekly newsletter dedicated to keeping the Cloud Native community informed about the latest releases, news, and developments in the CNCF ecosystem.

📅 Published: every Monday

🌍 Language: English

💶 Price: free, no paywall

🧑‍💻 Publisher: Mario Fahlandt

We believe staying current with the rapidly evolving Cloud Native landscape shouldn’t require hours of research. LWCN distills the most important updates from across the ecosystem into a concise, actionable weekly digest — written in a neutral, journalistic tone, with no marketing fluff.

Story

@laura_garcia shared a post, 1 month ago

Software Developer, RELIANOID

𝗡𝗲𝘄 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝗱𝘃𝗶𝘀𝗼𝗿𝘆: 𝗗𝗶𝗿𝘁𝘆 𝗙𝗿𝗮𝗴 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟰𝟯𝟮𝟴𝟰 & 𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟰𝟯𝟱𝟬𝟬)

🚨 𝗡𝗲𝘄 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝗱𝘃𝗶𝘀𝗼𝗿𝘆: 𝗗𝗶𝗿𝘁𝘆 𝗙𝗿𝗮𝗴 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟰𝟯𝟮𝟴𝟰 & 𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟰𝟯𝟱𝟬𝟬) Two newly disclosed 𝘓𝘪𝘯𝘶𝘹 𝘬𝘦𝘳𝘯𝘦𝘭 𝘷𝘶𝘭𝘯𝘦𝘳𝘢𝘣𝘪𝘭𝘪𝘵𝘪𝘦𝘴 — collectively known as Dirty Frag — impact specific 𝗜𝗣𝘀𝗲𝗰/𝗫𝗙𝗥𝗠 𝗽𝗮𝗰𝗸𝗲𝘁 𝗵𝗮𝗻𝗱𝗹𝗶𝗻𝗴 𝗽𝗮𝘁𝗵𝘀 in Linux. What does this mean for RELIANOID users? ✅ 𝗥𝗘𝗟𝗜𝗔𝗡𝗢𝗜𝗗 𝗹𝗼𝗮𝗱 𝗯𝗮𝗹𝗮𝗻𝗰𝗶𝗻𝗴 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗡..

Link

@varbear shared a link, 1 month, 1 week ago

FAUN.dev()

Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace

Orca Security researchers identified four attack primitives in an AI coding-agent skills marketplace: install-count inflation without authentication, security scans at creation and popularity thresholds, same-name overrides without user alerts, and bulk updates without per-skill review or version pi.. read more

Link

@varbear shared a link, 1 month, 1 week ago

FAUN.dev()

Adventures in 30 Years in Engineering Productivity

Carlos Arguelles collects a decade of writing on engineering productivity at Microsoft, Amazon, and Google, covering monorepo versus microrepo CI/CD philosophies, hermetic test environments, ML-based bug deduplication, code coverage debates, and the AI-driven shift toward autonomous validation of ge.. read more

Link

@varbear shared a link, 1 month, 1 week ago

FAUN.dev()

I Deleted My Clever Code and the Database Got Better

A first-person walkthrough of rewriting an embedded key-value store after a friend spotted that the lock-free ring buffer was writing to a slot before claiming ownership, with the rebuilt single-mutex version 76 lines smaller, more correct, and explicit about every tradeoff (fsync on every write, no.. read more

Link

@varbear shared a link, 1 month, 1 week ago

FAUN.dev()

6 Multi-Agent Orchestration Design Patterns Every Developer Should Know

Chris Pietschmann walks through six multi-agent orchestration patterns (sequential pipeline, fan-out/fan-in, hierarchical delegation, consensus, event-driven, iterative refinement) and the state management primitives that let them compose... read more

Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.