• Sigstore’s original hard-coded ECDSA P-256 + SHA-256 limited future cryptographic flexibility. • Trail of Bits collaborated to create centralized algorithm registry in Protobuf specs. • Updated Rekor and Fulcio to accept configurable algorithm restrictions. • Integrated flexibility into Cosign, letting users choose signing algorithms. • Developed Go implementations of post-quantum LMS and ML-DSA algorithms. • New architecture supports future cryptographic standards, enhancing long-term security.
Article Summaries:
- Sigstore, the open‑source ecosystem for software signing, has added cryptographic agility after a two‑year effort led by Trail of Bits. The update introduces a centralized algorithm registry in the Protobuf specifications and allows Rekor and Fulcio to enforce configurable algorithm restrictions. Cosign now lets users choose their signing algorithm when generating keys, and Go implementations of post‑quantum schemes LMS and ML‑DSA have been added. The changes aim to keep signatures verifiable for decades, meet diverse compliance needs, and enable future‑proof cryptography without compromising the system’s security.
Sources: