The Sigstore community today announced the first stable release of sigstore-python. This has improved the security of the software supply chain and paved the way for other client implementations of his Sigstore, which are in their early stages.
Sigstore is an open source project launched by the Linux Foundation that aims to provide a free and stable service for all developers to easily sign, verify and secure their software projects. Code signing is a valuable tool for preventing hackers from patching systems and distributing malware, but it is difficult to implement in open source projects given the complexity of key management.
sigstore-python, part of the project and funded by Google’s open source security team, aims to provide a Sigstore compatible client like cosign, but built entirely in Python and using Python Easy to adopt in the ecosystem.
“Today’s release of sigstore-python is an important milestone for sigstore and the Python community,” said Bob Callaway, co-founder of the sigstore project and technical lead and manager of Google’s open source security team, SC. told Media. “The release of a stable Python-native implementation of Sigstore’s signing and verification workflows will enable Python developers and package maintainers to improve the security of the Python software supply chain without the overhead of managing private keys. ”
Sigstore-python is just one of many Sigstore clients in development, including programming languages such as Ruby, Java, Rust, Go, and JavaScript. Sigstore-python is not the oldest implementation, but it aims to be one of the most authoritative in terms of “implementing the complexities of Sigstore’s security model in a concise and accurate manner”, and other client implementations said William Woodruff, it could set an important technological foundation for , he is one of the main contributors to sigstore-python and is a Senior Security Engineer at Trail of Bits.
“Sigstore-python is intended to be the ‘reference’ implementation of the Sigstore client, i.e. to be the primary technical reference for other client implementations of Sigstore (such as the Rust implementation) that are in early development. I mean,” Woodruff said. SC media. “The codebase as a whole is meant to be actually read and consumed by other users of the Sigstore community, and maintaining the level of referential competence is an important long-term goal that we continue to work towards. I can confidently say that it’s one of the features we’ll be adding.”
One of the two most distinguishing features of sigstore-python is the public Python API and command line interface (CLI) design that avoids misuse of cryptographic tools. This corresponds to two primitives in project development: signing and verifying.
As for next steps, Woodruff said his team is working with other members of the Sigstore community to standardize a bundle format for signing materials, and they hope to soon include support for signing and verifying with bundles. said he was thinking.
Additionally, his team is working to further integrate Sigstore into the Python Package Index, a popular open source software repository used by developers, and to stabilize the associated GitHub Actions.
“GitHub is proud to work with the open source community to help run the Sigstore specification, implementation, and public server, and to see this functionality come to life on PyPI, npm, and other package managers. said Trevor Rosen, member of Sigstor Technical Steering. The committee and his GitHub staff engineering manager told SC Media.
“[Sigstore] We are eager to work with the Python community to integrate sigstore-python into Python’s packaging tools and infrastructure so that Python developers can reap the benefits of modern transparent digital signatures,” said Callaway. Added.