Sigstore Update — August 2022

It has been very busy in the Sigstore community over the past few weeks with lots of activity and initiatives progressing at speed. With so many exciting things happening it’s hard to keep up, but here’s a summary of the highlights from the past month.

NPM set to adopt Sigstore

GitHub just announced a new request for comments (RFC) for linking packages to their source and build environment for the npm package manager. As part of the RFC, Sigstore was selected as the solution to signing npm packages as it is the only working solution that met the key requirements:

  • Links packages hosted on the npm registry to the source and build they originated from (provenance information).
  • Supports signing identities that don’t expose any personally identifiable information (PII) about maintainers, e.g. emails.
  • Avoids developer-managed keys (as there’s no good way to offer trust to the community given the challenges of distributing public keys).

As part of the implementation, GitHub has been working on a native JS implementation of the Sigstore signing/verification mechanics called sigstore-js. Github recently donated the library to the Sigstore project — which is very exciting!

The tool supports:

  • Signing npm packages using an OpenID Connect identity
  • Publishing signatures to a Rekor instance
  • Verifying signatures on npm packages

Learn more at:


Great news! Sigstore will host its SigstoreCon, its first official event, on October 25 in Detroit, in co-location with KubeCon + CloudNativeCon North America.

The Call for Papers is open until August 19 ➜ Submit a talk

Sponsorship options are open until August 12 ➜ View prospectus (page 24)

Learn more in this post

3 Million Rekor Entries

Hurray, Rekor reached 3 Million entries! This means that in a little over 6 months, 2 million new entries were logged.

Read the post from January 10, 2021, when we hit 1 million.

Sigstore Expands Technical Steering Committee

With so much activity happening in the community the time was right to expand Sigstore’s Technical Steering Committee from 3 to 5 members. We are thrilled to welcome Trevor Rosen (GitHub) and Santiago Torres Arias (Purdue University) to the committee.

New: Sigstore Office Hours

We recently launched Sigstore Office Hours, which will take place every other Tuesday. Sigstore Office Hours feature demos from Sigstore users and language integrators as well as follow on discussions. They are open to folks new to the community who are interested in adopting Sigstore. The next one will be on August 16 at 12:30 EST. Follow the Sigstore Calendar to get all the details.

Watch the recordings of the previous ones:

Sigstore Audit

The Open Source Technology Improvement Fund (OSTIF) did an audit of Sigstore. They found and fixed a high-risk vulnerability.

Read all about it here.

Blog Posts and Talks

In case you missed them, there were a few recent blog posts:

Priya Wadhwa gave a Sigstore talk called “Demystifying Digital Signatures” at the OpenSSF Day on June 20. Watch her talk to learn more about Sigstore and check out the full playlist of the OpenSSF Day recordings.

New Releases


Sigstore is currently on version 1.3.1, released at the end of July 2022.

Thank you and welcome to our new contributors:


Cosign is container signing, verification and storage in an OCI registry. Its latest release is v1.10.1, which fixed a security issue.

Thank you and welcome to its most recent contributors:


Fulcio is a new kind of root CA for code signing. It’s a work in progress, but it’s coming along nicely. Its most recent release can be viewed here: Release v0.5.2.

Thank you and welcome to our newest contributor: William Woodruff


Keyless Git signing with Sigstore! Its latest release is v0.2.0.

Release highlights:

  • Adds gitsign-credential-cache: an optional socket-based credential cache binary for reusing keys for multiple signing requests without needing to reauth (e.g. rebases).
  • Adds support for out-of-band interactive flows to add support for SSH and other sessions where web browsers are not directly present.
  • Signing errors will now be output to the user TTY directly if available.
  • Fixed Rekor Git SHA generation for tags.


Rekor’s aims to provide an immutable tamper-resistant ledger of metadata generated within a software projects supply chain. View its latest release v0.10.0.

Thank you and welcome Rekor’s newest contributor: Azeem Shaikh

YouTube Channel

Did you know? Sigstore has a YouTube Channel. Subscribe for the latest videos!

If you recently gave a Sigstore talk, let us know and we’ll add it to our Community Talks Playlist.

Get Involved!

As always, we truly welcome contributors and users to our community. We take pride in being friendly to new folks and fostering a welcome and safe environment. Being a large open source project, there is always so much to do, not all of them being complex coding tasks. Valued contributions include: helping with documentation, general testing, and sharing your love of Sigstore with others.

Come and join our Slack workspace and say hello!