5 comments

[ 4.5 ms ] story [ 25.6 ms ] thread
seems to be signing using ephemeral keys backed by open ID connect and transparency logs. I don't know when it's available yet, the article does not say.
Depends what you mean by available :)

It's all basically up and running right now in a "sandbox" where we make no promises on integrity or availability but, we're encouraging people to try it out and give feedback.

If you want to try it out to sign containers this branch has everything you need: https://github.com/sigstore/cosign/pull/53

"A lot of it's inspired by Apple's model around signing and Microsoft has a similar one," said Dan Lorenc, a software engineer on Google's open source team. "We're trying to combine that with the Let's Encrypt style approach of automatically granting and managing short-lived keys."

What's the point in this, exactly? Both of those are incredibly controversial, and it's hard to make an argument that it's something to emulate on Linux.

I'm hoping we'll be able to take the good parts and leave the bad. IMO the problem with the app store models is that the certificate system is required, expensive and hard to use.

An optional system that is free and easy to use hopefully addresses these issues.

No one is planning on a mandatory app store or anything like that. We just want to make it easier to sign things and check signatures for people that want to.

Hey, one of the developers here (Luke) - This was a case of Dan said one thing and it came out on paper with a different slant then intended.

For the record this will be quite different model, as in there won't be any criteria to use the service. This will be a non-profit / free to use service with no need to apply to join etc. We see the more that people use this, the better the protections for all.

We are largely basing this off Let's Encrypts model of public good, more than the aforementioned programs.