Why we're excited about the Sigstore general availability

Sigstore is a newly available technology designed to enhance software supply chain security by providing an innovative approach to signing, verifying, and protecting builds, particularly through integration with platforms like GitHub Actions. By utilizing keyless signing, Sigstore eliminates the need for private key management, streamlining the process and encouraging more frequent signing of builds. This advancement is already being applied to Kubernetes and CPython releases. Additionally, Sigstore aims to improve npm package security by enabling verifiable links between packages, their source code, and build instructions, leveraging information encoded in signing certificates from OIDC tokens. This development is part of a collaborative effort involving multiple organizations, including GitHub, to ensure a more secure ecosystem for npm users. The general availability of Sigstore marks a significant milestone, with ongoing efforts to expand support across various cloud CI/CD providers and enhance npm registry capabilities.