[newaccount2023]

supply chain will have to be some kind of federated and distributed mechanism

there is absolutely no way a single startup can hope to be the single source of truth, that is a recipe for disaster just like we are now seeing with hub.docker.com

[candiddevmike]

That's happening already: https://www.sigstore.dev/

Anyone who talks about supply chain and doesn't mention/integrate with sigstore hasn't done their homework, IMO.

[migmartri]

hi, Chainloop developer here.

I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.

Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.

[mpermar]

Great stuff! Would love to know your take on Sigsum (sigsum.org) and also on how it compares to Sigstore ( https://git.sigsum.org/sigsum/tree/archive/2022-03-15-notes-... ).

I found that reading and the project itself fascinating but not sure about how solid the project/analysis is.

[migmartri]

Thanks!

I am afraid I don't have a formed opinion on the sigsum project yet.

Thanks for the pointer though, it indeed looks interesting, it might come handy once we start the effort of adding a transparent log (i.e rekor) to Chainloop.

[migmartri]

Chainloop is not designed nor implemented with that centralization concept in mind.

It is meant to run as any other OSS infrastructure piece in your Software Supply Chain. The source of truth that we describe, it's about providing organizations with a single mechanism to define, ingest and route metadata and artifacts to their final destination (i.e artifactory, OCI registry, ...)