SigStore: a Transparent Software Supply Chain Storage System

Principal Investigator: Santiago Torres-Arias

Sigstore is a system to provide cross-ecosystem binary transparency, to register supply chain actors using federated identify management, and to allow software vendors to communicate software supply chain information between actors. Sigstore builds on existing transparent/auditable datastructures (e.g., transparency logs, transparency maps), as well as identification systems (e.g., OIDC), and supply chain metadata (e.g., in-toto, TUF, RPM signstures) to provide end-to-end verifiability to software consumers.

Keywords: auditable data structures, distributed system security, supply chain security