Join us

ContentUpdates and recent posts about Sigstore..
 Activity
goutham-annem
@goutham-annem started using tool Azure Kubernetes Service (AKS) , 3 days, 20 hours ago.
 Activity
goutham-annem
@goutham-annem started using tool AWS EKS , 3 days, 20 hours ago.
 Activity
goutham-annem
@goutham-annem started using tool Amazon Web Services , 3 days, 20 hours ago.
 Activity
goutham-annem
@goutham-annem started using tool Amazon ECS , 3 days, 20 hours ago.
 Activity
eon01
@eon01 gave 🐾 to The unwritten laws of software engineering , 3 days, 23 hours ago.
Link
varbear
@varbear shared a link, 4 days, 2 hours ago
FAUN.dev()

Build and Deploy a Remote MCP Server to GKE in 30 Minutes

Google walks you through shipping a remoteMCP serveronGKE AutopilotusingFastMCPandstreamable-http, swapping localstdiofor shared HTTP endpoints. The clever bit: theGateway APIhandles managed SSL plusCLIENT_IP session affinity, so one centralized server beats everyone running redundant local copies... read more  

Build and Deploy a Remote MCP Server to GKE in 30 Minutes
Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 4 days, 2 hours ago
FAUN.dev()

The unwritten laws of software engineering

- Always related - first rollback, then debug. - Backups aren’t real until restored. - You’ll hate yourself for bad logs. - ALWAYS have a rollback plan. - Every external dependency will fail. - If there's risk, use the “4 eyes” rule. - Nothing lasts like a temporary fix... read more  

The unwritten laws of software engineering
Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 4 days, 2 hours ago
FAUN.dev()

How building an HTML-first site doubled our users overnight

Building HTML-first forms using Astro instead of React dramatically increased completion rates and sustainability, highlighting the effectiveness of lightweight, accessible web components for all users, regardless of browser or connectivity... read more  

How building an HTML-first site doubled our users overnight
Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 4 days, 2 hours ago
FAUN.dev()

Everything a Senior Engineer Needs to Know About What's Inside an LLM

The shift from RNNs totransformerssolved sequential bottlenecks and long-range decay issues withself-attention. Transformers use encoding, decoding, and tokenization to process sequences efficiently and accurately. This evolution led to models like GPT, which excel at tasks with minimal fine-tuning .. read more  

Everything a Senior Engineer Needs to Know About What's Inside an LLM
Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 4 days, 2 hours ago
FAUN.dev()

Google hits 50% IPv6

The 50% IPv6 milestone is real, but adoption differs by country. Analysts who report lower figures use population-weighted sampling, while their per-country adoption rates match the higher estimate... read more  

Google hits 50% IPv6
Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.