[migmartri]

hi, Chainloop developer here.

I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.

Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.

[mpermar]

Great stuff! Would love to know your take on Sigsum (sigsum.org) and also on how it compares to Sigstore ( https://git.sigsum.org/sigsum/tree/archive/2022-03-15-notes-... ).

I found that reading and the project itself fascinating but not sure about how solid the project/analysis is.

[migmartri]

Thanks!

I am afraid I don't have a formed opinion on the sigsum project yet.

Thanks for the pointer though, it indeed looks interesting, it might come handy once we start the effort of adding a transparent log (i.e rekor) to Chainloop.