Why you can’t use Sigstore without Sigstore
Photo by C Dustin on Unsplash I was delighted to see a recent preprint that mentioned Sigstore appear on the IACR’s Cryptology ePrint Archive. The reason that we published an academic paper, Sigstore: Software Signing for Everybody, was to encourage the scrutiny of the research community. Progress in the field of computer security only comes from the back-and-forth between proposed defenses and offensive analyses of those techniques, and we welcome third-party analysis of the project.