Skip to content

Commit

Permalink
Update overview.md
Browse files Browse the repository at this point in the history
finish requests

Signed-off-by: jonvnadelberg <[email protected]>
  • Loading branch information
jonvnadelberg authored Aug 24, 2023
1 parent a7c6fa4 commit f34b2b1
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions content/en/about/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ weight: 1

![Sigstore](sigstore-logo_horizontal-color.svg)

**Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. The signing materials are stored in a tamper-resistant public log so there’s no need to manage or store keys.**
**Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there's no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.**

The project is backed by the Open Source Security Foundation (OpenSSF) under the Linux Foundation, with contributions from Google, Red Hat, Chainguard, GitHub and Purdue University. It is 100% open source and free to use for all developers and software providers. The Sigstore community develops and maintains the source code and tooling as a public good, non-profit service to improve the open source software supply chain.
The project is backed by the Open Source Security Foundation (OpenSSF) under the Linux Foundation, with contributions from Google, Red Hat, Chainguard, GitHub and Purdue University. It is 100% open source and free to use for all developers and software providers. The Sigstore community develops and maintains tools to simplify code signing and verification, and also operates a public-good, non-profit service to improve the open source software supply chain.

## Why cryptographic signing?

Expand Down Expand Up @@ -41,7 +41,7 @@ Sigstore addresses these problems by helping users move away from a key-based si
- **Verified**: By checking your identity with our certificate authority (Fulcio).
- **Witnessed**: By recording the signing information in a permanent transparency log (Rekor).

The signer can even forgo using long-lived keypairs. With “keyless” or “ephemeral key” signing, users verify the artifact using the transparency log for signature verification rather than keys. Sigstore improves on traditional methods of signing to be more convenient and secure:
The signer ideally forgoes using long-lived keypairs. With “keyless” or “ephemeral key” signing, users verify the artifact using the transparency log for signature verification rather than keys. Sigstore improves on traditional methods of signing to be more convenient and secure:

- **Convenience**: Users can take advantage of convenient tooling, easy container signing, and can even bypass the difficult problem of key management and rotation.
- **Security**: With Sigstore, the artifact is not just signed; it’s signed, verified, and witnessed.
Expand Down

0 comments on commit f34b2b1

Please sign in to comment.