SigstoreCon Supply Chain Day 2024: Celebrating the Impact of Sigstore on Digital Signing and Supply Chain Security
As we approach SigstoreCon at KubeCon + CloudNativeCon, an exciting convention where experts will share their insights on the project’s progress, adoption and future directions, I’d like to take this opportunity to reflect on the significant impact Sigstore has had over the years.
A Global Effort: Maintaining a Diverse and Collaborative Community
Sigstore boasts an impressive list of maintainers from top companies and academic institutions, including Purdue, NYU, Google, Chainguard, GitHub, Red Hat, Stacklok, VMware, IBM, Trail of Bits, Yahoo and more. This diverse contributor base is crucial to the project’s success, ensuring that Sigstore remains open, transparent and secure.
Our community has grown significantly since its inception, with many repositories spanning polyglot client SDKs, servers (transparency logs, certificate authorities, policy controllers) and supporting automation tools like Helm charts and Terraform templates. This extensive collection of resources demonstrates the project’s commitment to providing a robust foundation for digital signing.
Sub-Groups and Specialized Teams
In Sigstore we have two formalized sub-groups, to help improve standardization and conformity, along with a more robust and highly available public service.
SIG-Clients: Focuses on developing client SDKs for various programming languages.
SIG-Public-Good-Operations: Concentrates on building and maintaining services that support public-good operations.
Public Good Service: Community SREs Keep the Service Up, Running and Signing!
Sigstore’s Public Good Service is a remarkable example of community-driven collaboration. In this model, volunteer Site Reliability Engineers (SREs) from around the world contribute their time and expertise to ensure the smooth operation of Sigstore’s services.
This community-driven approach has several benefits. The service has Increased resilience, with multiple SREs involved over an on-duty rotation, the risk of a single point of failure is minimized. Community SREs can quickly respond to incidents, reducing downtime and minimizing the impact on users, made even better by all the work to improve monitoring and service health probes.
We have multiple vendors providing dedicated volunteers to provide Sigstore with a round-the-clock roster of SREs, including Google, Chainguard, GitHub, Red Hat and Stacklok.
Sigstore’s Graduation Within the OpenSSF
Sigstore was originally incubated within the OpenSSF under the guidance and help of the OpenSSF Technical Advisory Committee (TAC). The project received valuable feedback, mentorship and support during this period, and eventually reached the stage where it was suitable for graduation.
After a rigorous evaluation process, Sigstore successfully graduated to become an official OpenSSF Project. This milestone marked a significant achievement for the community, recognizing the project’s maturity, security and adherence to best practices.
What Does it Mean to be an OpenSSF Project?
As a certified OpenSSF Project, Sigstore has demonstrated its commitment to the following key aspects of a healthy open-source project:
Security
We always prioritize implementing robust security measures to protect the users of sigstore. A full security audit of Sigstores code was conducted and the report was publicly available. Our CI contains multiple security measures such as API fuzzing and more. We have a dedicated security response team to act quickly on any discovered/reported vulnerable code. We maintain a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices.
Governance
By establishing transparent governance processes for decision-making and community engagement, it improves trust to our users.
Transparency
Maintaining open communication channels with the community, ensuring that all stakeholders are informed about project progress. Any is welcome to join the community meetings which are held publicly, along with the technical steering committee meetings.
Project Adoption: The De-Facto Approach to Code Signing and a Move Towards Package Manager Support and Adoption
Sigstore has become the de-facto approach to code signing for open-source projects.
Major adopters include Kubernetes, Helm, Cilium, CPython, urllib3, and many more as seen on Sigstore’s Landscape page.
In 2024 and beyond, package repositories are the focus for adoption, to improve supply chain security for package ecosystems.
npm now leverages Sigstore to sign SLSA provenance attestations, a feature that went
into general availability last year.
GitHub Actions now uses Sigstore for provenance in its Artifact Attestations, which went into GA status in June 2024.
Homebrew, PyPI and Maven Central Sigstore integration is actively underway for each ecosystem.
Looking Ahead: SigstoreCon and Beyond
As we celebrate the impact of Sigstore at SigstoreCon, we’re excited to share our vision for the future. Join us as we discuss the latest developments, best practices and emerging trends in digital signing and supply chain security.
Stay tuned for more updates from SigstoreCon and follow our blog at blog.sigstore.dev for the latest news on the project’s progress.
Let’s continue to work together towards a more secure and trustworthy software ecosystem!
To learn more about Kubernetes and the cloud native ecosystem, join us at KubeCon + CloudNativeCon North America, in Salt Lake City, Utah, on November 12-15, 2024.
