Building cryptographic agility into Sigstore

Trail of Bits·Security / OSINT·

Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our current signatures will fail, but whether we’re prepared for when they do. Sigstore, an open-source ecosystem for ...

Read full article →

Related Articles

Google Chrome silently installs a 4 GB AI model on your device without consent
john-doe · Hacker News · 3d ago
DNSSEC disruption affecting .de domains – Resolved
warpspin · Hacker News · 3d ago
US healthcare marketplaces shared citizenship and race data with ad tech giants
ZeidJ · Hacker News · 4d ago
Security through obscurity is not bad
mobeigi · Hacker News · 5d ago
The text mode lie: why modern TUIs are a nightmare for accessibility
SpyCoder77 · Hacker News · 5d ago