Linux Foundation launches free service to verify software authenticity

The Linux Foundation, the non-profit organization enabling innovation through open source, has announced a new service to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing. Called 'sigstore' it will allow software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials will then be stored in a tamper-proof public log. Founding members of the project include Red Hat, Google and Purdue University. "sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software… [Continue Reading]