Join us

ContentUpdates and recent posts about Sigstore..
Link
kala
@kala shared a link, 1 week, 3 days ago
FAUN.dev()

I Will Never Use AI to Code (or write)

This article discusses the negative impacts of relying on AI for coding and skill development. The cycle of using AI leading to skill decay, skill collapse, and the end of capability is highlighted as a major concern. The economic implications of AI usage in various industries and the lack of profit.. read more  

Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
kala
@kala shared a link, 1 week, 3 days ago
FAUN.dev()

How AI Agents Automate CVE Vulnerability Research

A multi-agent system runs onGoogle's Agent Development Kit (ADK). It orchestrates specialized AI models for CVE research and report synthesis. It runso4-mini-deep-researchwith web search. On timeouts it falls back toGPT‑5. It extracts structured technical requirements. It maps those requirements to .. read more  

How AI Agents Automate CVE Vulnerability Research
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
 Activity
environmentalbit3940
@environmentalbit3940 started using tool werf , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool VictoriaMetrics , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool SaltStack , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool Python , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool Pulumi , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool Kubernetes , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool Grafana , 1 week, 3 days ago.
 Activity
environmentalbit3940
@environmentalbit3940 started using tool Go , 1 week, 3 days ago.
Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.