It is the shared view of the Sigstore Technical Steering Committee that Sigstore meets the requirements of a Graduated project within the OpenSSF
Below are the details of the project's readiness for graduation.
Sigstore has maintainers across many different companies and academic institutions (Examples include Purdue, NYU, Google, Chainguard, GitHub, RedHat, Stacklok, VMware, IBM, Trail of Bits, Yahoo)
-
We maintain a diversified contributor base with an active flow of contributions
-
58 repositories spanning polyglot client SDKs, servers (transparency logs, certificate authorities, policy controllers), supporting automation (e.g. Helm charts and Terraform templates)
-
Examples of contributor/maintainer diversity:
-
Cosign: Contributor data
- Maintainers from: Chainguard, Google, Trendyol
-
Sigstore-python: Contributor data
- Maintainers from: Google, Trail of Bits, Stacklok
-
Sigstore-rs: Contributor data
- Maintainers from: Alibaba, Google, Red Hat, Stacklok, SUSE
-
Sigstore-go: Contributor data
- Maintainers from: GitHub, Google, Stacklok
-
-
-
We have two formalized sub-groups:
Sigstore represents a novel approach to digital signing, removing the need for signing key management and providing an auditable record of signatures. Sigstore provides a trust foundation for other OpenSSF projects (SLSA, Scorecard, OpenVex).
Sigstore has become the de-facto approach to code signing for open source projects. As seen on Sigstore's Landscape, major adopters include Kubernetes, Helm, Python and Kyverno. In 2024 and beyond, package repositories are the focus for adoption, to improve supply chain security for package ecosystems.
npm leverages Sigstore to sign SLSA provenance statements, a feature which went into general availability last year.
Homebrew, PyPI and Maven Central Sigstore integration is actively underway for each ecosystem.
Clients and services receive regular updates and release frequently (approximately a monthly cadence, or as needed for bug fixes)
Project governance is documented and seen through updates to the community repository to update maintainers.
Technical Steering Committee (TSC) Meeting minutes are available at Sigstore TSC Agenda and Minutes
- An up-to-date charter is located under the sigstore/tsc repo
We provided updates to OpenSSF TAC on 8/9/22, 10/4/22, 8/8/23, 11/14/23
OSTIF completed a security audit for Sigstore, with all findings addressed.
| Reference | URL |
|---|---|
| Repo | https://github.com/sigstore |
| Website | https://sigstore.dev |
| Contributing guide | https://github.com/sigstore/.github/blob/main/CONTRIBUTING.md |
| Roadmap | https://github.com/sigstore/community/blob/main/ROADMAP.md |
| Mailing List | https://groups.google.com/g/sigstore-dev |
| YouTube | https://www.youtube.com/channel/UCWPVc8glVGOODxsA_ep0VVw |
| Slack | https://sigstore.slack.com/ |
| X | @projectsigtore |
| https://www.linkedin.com/company/71558774/ |
-
We follow security best practices (Scorecard, AllStar, Dependabot & CodeQL support, build pipelines automated through CI/CD, branch protection). For the services we operate, infrastructure is hardened, access for oncall engineers is on-demand with review, and we use the latest cloud technologies to manage infrastructure (GKE, Helm, Terraform)
- Writeup available here: Sigstore Best Practices Badge Application
-
We maintain a point of contact for vulnerability reports as documented in security.MD and follow coordinated vulnerability disclosure practices.
-
We implement and practice mature development & release processes. We leverage automated CI/CD for testing and releases, with releases built on Google Cloud Build and GitHub Actions. Releases are signed with Sigstore. We adhere to semantic versioning for the clients and services, and have a declared policy documenting this. Clients must meet a minimum bar for a GA/1.0 release (example with Rust).
-
We receive guidance from the OpenSSF TAC while providing updates to the TAC.
-
Sigstore is represented in OpenSSF conferences through the supply chain security track.
-
Each Sigstore repository includes a code of conduct.
-
Follows vulnerability disclosure practices as documented in the Vulnerability Disclosure WG.
-
Our GitHub-organization-wide security.MD file covers our disclosure reporting process
- 4-member security response team responsible for triaging reported issues
-
Project updates are regularly posted to blog.sigstore.dev and to the OpenSSF blog. The Linux Foundation offers a training course for Sigstore.