Tools and Services for Digital Signature and Digital Signature Verification (Sigstore)
Sigstore Overview
Sigstore is an open, distributed infrastructure designed for software supply chain security.
Sigstore provides the following features to improve software supply chain security:
- Guarantees software integrity by signing software.
- Verifies signatures to ensure software has not been tampered with.
- Traces signatures to track software origin and distribution.
- Improves software supply chain security by implementing SLSA.
Sigstore is an open, distributed infrastructure designed to improve software supply chain security, and can help enhance the security of the software supply chain.
Sigstore in Genian NAC
For enhanced security, Genian NAC's File Distribution Plugin v2 uses tools provided by Sigstore for software integrity assurance.
It uses cosign, a tool provided by Sigstore for digital signing and signature verification of files to be distributed, and additionally verifies digital signature information from an immutable ledger-based service for verification.
The cosign tool has been added to the Policy Server and plugins for digital signature verification.