Forum Moderators: bakedjake
Linux Foundation Lead Sigstore Project Enabling Secure Signing of Software
The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community.
“sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”
The only personal data we require will be provided from an OpenID Connect grant, and we keep that as lean as we can (the users email address)The system uses OpenID as identifciation system and only stores the email address of the developer in their logs. If this statement in the FAQ is correct, there is no link with the actual name of the developer or company as is common with current code signing certificates. I am not sure how people will conceive the trust of such a certificate if you have no idea who is behind it.
I am not sure how people will conceive the trust of such a certificate if you have no idea who is behind it.
