https://techcrunch.com/2022/10/26/sigstore-launches-free-software-signing-and-verification-service-for-open-source-projects/

Software supply chain quickly became a hot topic in the last few years, especially as the number of high-profile attacks increased and the White House got involved. Sigstore, an open source project supported by the likes of Google, GitHub, Chainguard and RedHat, has become somewhat of a standard for signing, verifying and protecting software projects — and the dependencies they use — to make sure that the software you install and run on your machines hasn’t been manipulated. These days, after all, there aren’t many software projects that don’t rely on at least one — and usually multiple — open-source libraries, which themselves probably rely on other libraries, too. And with many of these projects maintained by volunteers, they make for an easy target for hackers.

Today, at SigstoreCon, a co-located event at the CNCF’s KubeCon/CloudNativeCon conference in Detroit, the Sigstore community announced the general availability of its free software signing service for open source projects. Sigstore is already one of the fasted adopted open source projects ever, with more than 4 million signatures logged so far. Both the Kubernetes and Python communities use it to sign their releases. And npm, the popular JavaScript package manager, is currently in the process of integrating Sigstore to ensure the provenance of its packages.