Software supply chain quickly became a hot topic in the last few years, especially as the number of high-profile attacks increased and the White House got involved. Sigstore, an open source project supported by the likes of Google, GitHub, Chainguard and RedHat, has become somewhat of a standard for signing, verifying and protecting software projects — and the dependencies they use — to make sure that the software you install and run on your machines hasn’t been manipulated. These days, after all, there aren’t many software projects that don’t rely on at least one — and usually multiple — open-source libraries, which themselves probably rely on other libraries, too. And with many of these projects maintained by volunteers, they make for an easy target for hackers.
Today, at SigstoreCon, a co-located event at the CNCF’s KubeCon/CloudNativeCon conference in Detroit, the Sigstore community announced the general …
