Linux community project aims to thwart dependency confusion attacks with easy code signing and verification

Sigstore: a Let’s Encrypt for software integrity

Google has teamed up with the Linux community on a new project that aims to make open source software more secure through easy code signing and verification.

The project – dubbed ‘sigstore’ – is spearheaded by the Linux Foundation and aims to use digital signature technology to ensure supply chain integrity and defend against software supply chain attacks.

Continue reading...