WordPress content, cryptographically provable.
Proof of original publication
Proof of timestamp
Proof of anchoring immutable external audit trail
Proof of authorship
Proof of tampering
π Proof of redistribution lineage β forensic watermarking (coming soon)
https://wordpress.org/plugins/archiviomd/
#WordPress #ContentIntegrity #Cryptography #Sigstore #OpenSource #Compliance #FOSS
#SigStore / #PyPI attestations: #PGP is hard! We must invent a new signing scheme that's so much easier on users.
The tools, after I've spent hours *integrating* them into #Gentoo, and getting them working for everything before:
* Verifying google_auth-2.46.0.tar.gz ...
Provenance signed by a Google Cloud account, but no service account provided; use '--gcp-service-account'
Yeah, I'm sure that's *so much simpler* than PGP.
New blog post out 'FluxCD OCI Artifact Verification'
https://calebwoodbine.nz/fluxcd-oci-artifact-verification/
#fluxcd #kustomize #helm #kubernetes #cncf #homelab #sigstore
New post out 'FluxCD OCI Artifact Verification'
https://calebwoodbine.nz/fluxcd-oci-artifact-verification/
#fluxcd #kustomize #helm #kubernetes #cncf #homelab #sigstore
For the last couple of weeks, I've been deep diving into container supply chain security.
I built a full GitHub Actions demo pipeline:
β’ Vulnerability scanning
β’ SBOM generation
β’ Keyless signing + attestations
β’ SLSA build provenance
The stack: Trivy, Syft, Cosign, and Sigstore.
Zero long-lived secrets. GitHub Actions uses OIDC to obtain a short-lived certificate, signs the image (and publishes attestations), and records everything in a public transparency log. No keys to rotate or leak.
The post also covers hardened base images (distroless and Docker's new Hardened Images) and how to enforce signatures on the consumer side with Kubernetes admission policies.
Blog + companion repo to fork: https://lnkd.in/gtdNYWW8
#SupplyChainSecurity #SBOM #Sigstore #GitHubActions #DevSecOps #ZeroTrust
Recently moved to exclusively using OCI for deploying through FluxCD.
For when I need Helm, Iβm vendoring packages and syncing them to an OCI registry.
Utilising Sigstore, every OCI image is signed in CI and verified by FluxCD via the verify config in OCIRepository resources.
Very both boring and yet exciting changes!
#fluxcd #kustomize #helm #kubernetes #cncf #homelab #sigstore
OpenSSF-funded improvements to Sigstoreβs rekor-monitor are making transparency logs easier to monitor for malicious package releases and identity misuse.
Great work by @trailofbits, with support from the sigstore maintainer community including Hayden Blauzvern and @mihaimaruseac.
π https://openssf.org/blog/2025/12/19/catching-malicious-package-releases-using-a-transparency-log/
π‘ OpenSSF Project Highlight: Sigstore - A Wax Seal of Security for the Digital Era
β Why this matters: the Sigstore project is building a modern, transparent trust layer for open source.
Watch this interview and learn more about #Sigstore: https://youtu.be/m5eTw4x33kU?si=JFY3C81VFjBhNIML
π The new #Sigstore Rekor transparency log public dataset is now available on BigQuery!
This dataset makes it easier for researchers to analyze software signing trends & understand how artifacts are signed across the open source ecosystem.
πRead: https://openssf.org/blog/2025/10/15/announcing-the-sigstore-transparency-log-research-dataset/
Mountain View Provisions LLC
Jesus MichaΕ "Le Sigh" π (he)
Caleb Woodbine πΊπ
Jerrad Dahlager
HoldMyType
OpenSSF