Well-architected best practices for software supply chain security
AWS security teams define npm supply-chain defense as two tasks: limit credential blast radius and block unverified artifacts before production... read more
Updates and recent posts about Sigstore.. Link
Link
@devopslinks shared a link, 1 week, 5 days ago
FAUN.dev()
The normal work of creating reliability
SREs should study how engineers keep systems reliable during routine work, including the adjustments they make before incidents occur. Tech teams have adoptedSafety-IIat a limited rate because they lack practical models for observing those adjustments... read more
Activity
@evonaiagents created an organization Evon Technologies , 1 week, 6 days ago.
Link NextGenSoft Technologies LLP Team
@nextgensoft shared a link, 1 week, 6 days ago
Marketing Manager, nextgensoft
AWS MCP Server: Complete Guide for Building AI Agents on AWS
Learn how to build powerful AI agents on AWS MCP Server. A complete guide covering setup, architecture, tools, and real-world use cases.
Course
@eon01 published a course, 2 weeks ago
Founder, FAUN.dev
Activity
@harperelisecallahan started using tool WordPress , 2 weeks ago.
Activity
@harperelisecallahan started using tool Shopify , 2 weeks ago.
Activity
@harperelisecallahan started using tool React , 2 weeks ago.
Activity
@harperelisecallahan started using tool Python , 2 weeks ago.
At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.
The sigstore ecosystem is composed of several key components:
- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.
- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.
- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.
Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).
sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.
The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.
