The Kubernetes and sigstore communities have announced that Kubernetes is adopting sigstore in production for signing artifacts and verifying signatures, enabling Kubernetes users for the first time to verify that the distribution they are using is exactly what it claims to be. Kubernetes 1.24 and all future releases will include cryptographically signed sigstore certificates, giving users the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle and container image.
sigstore, introduced just last year, is a free signing service for software developers that improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.
The Kubernetes release team in early 2021 began exploring SLSA compliance to improve Kubernetes software supply chain security. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August.
In addition to the millions of developers who use Kubernetes directly or indirectly, this benefits all those in a company aiming to be compliant with the recent NIST Secure Software Development Framework (SSDF) requirements.