SigStore: a Transparent Software Supply Chain Storage System

Principal Investigator: Santiago Torres-Arias

Sigstore is a system to provide cross-ecosystem binary transparency, to register supply chain actors using federated identify management, and to allow software vendors to communicate software supply chain information between actors. Sigstore builds on existing transparent/auditable datastructures (e.g., transparency logs, transparency maps), as well as identification systems (e.g., OIDC), and supply chain metadata (e.g., in-toto, TUF, RPM signstures) to provide end-to-end verifiability to software consumers.

Keywords: auditable data structures, distributed system security, supply chain security

Coming Up!

Our annual security symposium will take place on Oct. 19 and 20, 2021.
Purdue University, West Lafayette, IN

More Information