Updates and recent posts about Sigstore..

Posts
Description

Activity

@environmentalbit3940 started using tool Python , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool Pulumi , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool Kubernetes , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool Grafana , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool Go , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool GNU/Linux , 1 week, 4 days ago.

Activity

@environmentalbit3940 started using tool GitLab CI/CD , 1 week, 4 days ago.

Link

@devopslinks shared a link, 1 week, 4 days ago

FAUN.dev()

Building a Database on S3

This paper from 2008 proposes a shared-disk design over Amazon S3 for cloud-native databases, separating storage from compute. Clients write redo logs to Amazon SQS instead of directly to S3 to hide latency. The paper presents a blueprint for serverless databases before the term existed... read more

Link

@devopslinks shared a link, 1 week, 4 days ago

FAUN.dev()

AWS RDS Cost Optimization Guide: Cut Database Costs in 2026

Amazon RDS costs are not fixed - they vary based on configuration and usage. Making informed configuration and governance decisions is key to optimizing costs. Graviton instances offer better price-performance for common databases, while storage costs can be reduced by decoupling performance from ca.. read more

Link

@devopslinks shared a link, 1 week, 4 days ago

FAUN.dev()

Introducing Agentic Observability in NGINX: Real-time MCP Traffic Monitoring

NGINX ships an open-sourceAgentic ObservabilityJS module. It parsesMCPtraffic and extracts tool names, error statuses, and client/server identities. The module uses nativeOpenTelemetryto export spans. A Docker Compose reference wires upOTel collector,Prometheus, andGrafanafor realtime throughput, la.. read more

Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.