The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

SigStore: a Transparent Software Supply Chain Storage System

Research Areas: Assured Identity and Privacy

Principal Investigator: Santiago Torres-Arias

Sigstore is a system to provide cross-ecosystem binary transparency, to register supply chain actors using federated identify management, and to allow software vendors to communicate software supply chain information between actors. Sigstore builds on existing transparent/auditable datastructures (e.g., transparency logs, transparency maps), as well as identification systems (e.g., OIDC), and supply chain metadata (e.g., in-toto, TUF, RPM signstures) to provide end-to-end verifiability to software consumers.

Keywords: auditable data structures, distributed system security, supply chain security