We are delighted to announce the creation of the Clients Special Interest Group (sig-clients) for the Sigstore project. This exciting new initiative marks the first SIG for Sigstore and serves as an experiment in organizing efforts across the Sigstore project.
The sig-clients repository is your one-stop shop for all things related to Sigstore clients across various languages and ecosystems. This group has the following mission:
Make Sigstore clients across languages/ecosystems easy-to-write, compatible, and secure by providing shared designs/documentation, data formats, and test suites.
The SIG does not control the various Sigstore clients, but instead tries to make the jobs of their maintainers as easy as possible.
The project roadmap (available in full in the repository) focuses on enhancing Cosign, the most widely-used client, in the short term. This includes improving user experience with policy enhancements and better identity assertion guidance, supporting language clients, and refining documentation. The medium-term goal is to increase Cosign’s flexibility, with a focus on personalizing PKI and private deployments, expanding policy enhancements, and improving testing methods. Finally, long-term plans include developing a plumbing and porcelain model for Cosign, integrating with TUF/in-toto, and devising ways to reduce the amount of work to create new Sigstore clients.
If you’d like to get involved, the repository lists ways to do so, including meetings to attend and Slack channels to join.