Tag: SigStore
-
Docker: Retiring Docker Content Trust
Source URL: https://www.docker.com/blog/retiring-docker-content-trust/ Source: Docker Title: Retiring Docker Content Trust Feedly Summary: Docker Content Trust (DCT) was introduced 10 years ago as a way to verify the integrity and publisher of container images using The Update Framework (TUF) and the Notary v1 project. However, the upstream Notary codebase is no longer actively maintained and the…
-
Google Online Security Blog: Taming the Wild West of ML: Practical Model Signing with Sigstore
Source URL: http://security.googleblog.com/2025/04/taming-wild-west-of-ml-practical-model.html Source: Google Online Security Blog Title: Taming the Wild West of ML: Practical Model Signing with Sigstore Feedly Summary: AI Summary and Description: Yes Summary: The text announces the launch of a model signing library developed by the Google Open Source Security Team in collaboration with NVIDIA and HiddenLayer, aimed at enhancing…
-
Hacker News: Attestations: A new generation of signatures on PyPI
Source URL: https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/ Source: Hacker News Title: Attestations: A new generation of signatures on PyPI Feedly Summary: Comments AI Summary and Description: Yes Summary: The announcement discusses a new security feature on the Python Package Index (PyPI): index-hosted digital attestations based on PEP 740. This feature enhances package provenance and security by integrating with Trusted…
-
Hacker News: Are We PEP740 Yet?
Source URL: https://trailofbits.github.io/are-we-pep740-yet/ Source: Hacker News Title: Are We PEP740 Yet? Feedly Summary: Comments AI Summary and Description: Yes **Summary:** PEP 740 introduces a standard for cryptographically verifiable attestations for Python packages, ensuring better security and provenance verification through digital signatures. This initiative utilizes Sigstore technology and highlights the significance of trusted identities in safeguarding…
-
Simon Willison’s Weblog: PyPI now supports digital attestations
Source URL: https://simonwillison.net/2024/Nov/14/pypi-digital-attestations/#atom-everything Source: Simon Willison’s Weblog Title: PyPI now supports digital attestations Feedly Summary: PyPI now supports digital attestations Dustin Ingram: PyPI package maintainers can now publish signed digital attestations when publishing, in order to further increase trust in the supply-chain security of their projects. Additionally, a new API is available for consumers and…
-
Hacker News: Python PGP proposal poses packaging puzzles
Source URL: https://lwn.net/SubscriberLink/993787/0dad7bd3d8ead026/ Source: Hacker News Title: Python PGP proposal poses packaging puzzles Feedly Summary: Comments AI Summary and Description: Yes **Summary:** The text discusses the transition from PGP signatures to sigstore for signing Python artifacts, highlighting significant implications for software security. Sigstore, embraced by various projects, simplifies the verification process by eliminating the need…
-
Hacker News: Trust Rules Everything Around Me
Source URL: https://scottarc.blog/2024/10/14/trust-rules-everything-around-me/ Source: Hacker News Title: Trust Rules Everything Around Me Feedly Summary: Comments AI Summary and Description: Yes Summary: The text dives into concerns around governance, trust, and security within the WordPress community, particularly in light of recent controversies involving Matt Mullenweg. It addresses critical vulnerabilities tied to decision-making power and proposes cryptographic…