Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Sigstore is an open-source project that aims to provide a transparent and secure way to sign and verify software artifacts. It is an initiative that is part of the Open Source Security Foundation (OpenSSF), and it aims to establish standards for software signing that are both easy to use and widely adopted.

Sigstore can sign and verify any software artifact, including container images, source code, NPM packages, and more! It provides a simple and easy-to-use API for developers, as well as command-line tools and integrations with popular software development platforms.

In this talk, we'll dive into the architecture and internals of Sigstore and keyless signing, along with the security considerations that drove the design. We'll examine how you can reuse your existing identity infrastructure to produce signed artifacts without worrying about protecting long-lived keys. We'll also examine how you can use these signatures to enforce runtime policies on signing identities.


Billy Lynch

Staff Software Engineer @Chainguard

Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor and maintainer to the Sigstore and Tekton projects, and is the creator of Gitsign. Prior to working at Chainguard, Billy worked on several developer tool teams at Google including Cloud Build, Google Code, and Cloud Source Repositories.

Read more


Zack Newman

Research Scientist @Chainguard

Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a research scientist at Chainguard, he works with the TUF and Sigstore communities to make open source more secure.

Read more


Tuesday Jun 13 / 11:50AM EDT ( 50 minutes )


Dumbo / Navy Yard


Security Cloud Native Software Supply Chain Security


From the same track

Session WebAssembly

Wasm: What is Universal Compute Good For?

Tuesday Jun 13 / 10:35AM EDT

WebAssembly represents the future of portable computing, providing an efficient and secure runtime for many languages. In the last year there has been an explosion of growth in Wasm on the backend, from managed platforms, tooling, and further standardization work around WASI.

Speaker image - Sean Isom
Sean Isom

Senior Engineer @Adobe

Session jvm

Virtual Threads for Lightweight Concurrency and Other JVM Enhancements

Tuesday Jun 13 / 02:55PM EDT

Concurrent applications, those serving multiple independent application actions simultaneously, are the bread and butter of server-side programming. The thread has long been software’s primary unit of concurrency, and has also served as a core construct for observability and debugging, but i

Speaker image - Ron Pressler
Ron Pressler

Technical Lead OpenJDK's Project Loom @Oracle

Session WebAssembly

Build Features Faster With WebAssembly Components

Tuesday Jun 13 / 01:40PM EDT

Wasm modules revolutionized portable application code. For the first time, they allowed us to write in a high-level language - like Go or Rust - and then target WebAssembly as the platform-agnostic bytecode.

Speaker image - Bailey Hayes
Bailey Hayes

Director @Cosmonic

Session Software Supply Chain Security

Achieving SLSA Certification with a “Bring-Your-Own-Builder” Framework

Tuesday Jun 13 / 04:10PM EDT

Supply-chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework to reason about and improve the integrity of released artifacts. With the recent release of SLSA version 1.0, SLSA is seeing increased adoption, both from industry and open source projects.

Speaker image - Asra Ali
Asra Ali

Software Engineer @Google

Session Software Supply Chain Security

Securing the Software Supply Chain: How in-toto and TUF Work Together to Combat Supply Chain Attacks

Tuesday Jun 13 / 05:25PM EDT

Software supply chain attacks have seen a 742% increase in the last three years. in-toto is a battle-tested and broadly deployed CNCF incubated project that counters these threats.

Speaker image - Marina Moore
Marina Moore

PhD Candidate @NYU & Tech Lead for CNCF's TAG Security