SigstoreCon 2024: Advancing Software Supply Chain Security

By Ashwin Ramaswami

On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

What is Sigstore?

Sigstore is a suite of open source tools that provides free, automated signing and verification services for software. In doing so, Sigstore eliminates traditional barriers to cryptographic signing of software artifacts. This democratization of security tools makes it possible for any developer or organization to implement robust security practices in their software distribution and consumption pipeline.

At its core, Sigstore consists of three main components: Fulcio, a certificate authority that issues code signing certificates; Rekor, a transparency log that provides an immutable record of signing activities; and Cosign, a tool that simplifies the signing and verification of artifacts. Together, these components create a comprehensive framework that ensures software authenticity and integrity throughout the supply chain.

By leveraging existing identity providers and eliminating the need for long-term key management, Sigstore makes it practical for projects to implement security best practices at scale. This is particularly crucial in today’s software ecosystem, where supply chain attacks have become increasingly sophisticated and frequent, making verifiable software integrity more important than ever. Learn more about Sigstore at https://www.sigstore.dev/.

Keynote Highlights

The day kicked off with welcome remarks from Hayden Blauzvern, Technical Lead Manager at Google, followed by two compelling keynotes:

• Bob Callaway, Head of Google’s Open Source Security Team, shared his vision for Sigstore’s Future. His talk highlighted the rapid adoption of Sigstore and upcoming scalability improvements and enhanced integration capabilities across different platforms and package managers. 
• Luke Hinds, Co-founder & CTO of Stacklok, discussed the critical role of transparency in software security and explored how these principles can be applied to building trustworthy AI systems. Sigstore has transparency and verification mechanisms that can help address the challenges around securing AI model supply chains.

Sessions

Technical Deep Dives / Research

The conference featured several technical sessions exploring the cutting edge of Sigstore development and research:

• Trends and Ecosystem Dynamics in Sigstore – Chinenye Okafor from Purdue University presented groundbreaking research on Sigstore adoption patterns and identity verification. The talk analyzed Rekor log entries to better understand misbehavior detection and strengthen identity verification processes.
• Rekor V2: What’s Next for Sigstore’s Transparency Log – Hayden Blauzvern and Colleen Murphy from Google unveiled plans for the next generation of Sigstore’s transparency log. They discussed improvements to API usability, deployment simplification, and enhanced privacy features.
• Rewriting Root-Signing – Jussi Kukkonen from Google provided an in-depth look at Sigstore’s trust root delivery system — a security-critical part of Sigstore — and its recent transition to tuf-on-ci tooling. The presentation covered best practices in trust root management and future directions for the project.
• Sigstore-Powered Hunting – Poppaea McDermott from Stacklok demonstrated how Sigstore’s provenance capabilities can be used to detect and prevent sophisticated supply chain attacks, including recent North Korean APT campaigns targeting npm.

Best Practices for Supply Chain Security

Several sessions focused on practical implementation and best practices:

• Papers, Please – Scrutinizing AI Model Creation – Parth Patel (Kusari) and Mihai Maruseac (Google) explored how Sigstore principles can be applied to AI model security, using SLSA and GUAC for provenance tracking and composition analysis.
• Understanding the Identity of a CI Platform – Richard Fan provided crucial insights into selecting appropriate Subject Alternative Names (SAN) for different CI platforms and avoiding common pitfalls in GitHub Actions integration.
• Sigstore & TUF Conformance Testing – Adam Korczynski (Ada Logics) and Jussi Kukkonen (Google) shared how conformance testing suites help identify security vulnerabilities and maintain ecosystem compatibility.
• The SBOM Revolution – Ian Dunbar-Hall (Lockheed Martin) and Marc Frankel (Manifest) demonstrated how Sigstore integrates with other tools (such as in-toto attestations and SBOMit) to enhance SBOM management and supply chain security.

Case Studies

The conference included several real-world implementation stories:

• Building a Sigstore Implementation from Scratch – Samuel Giddins from Ruby Central shared the challenges of implementing Sigstore in Ruby’s standard library, including the complexities of writing a TUF client and handling custom x509 requirements.
• Red Hat’s Journey with Sigstore – Lance Ball and Brian Cook from Red Hat discussed their company’s integration of Sigstore into product pipelines, including lessons learned and suggestions for enterprise adoption.
• The Next 5 Years of Supply Chain Security on PyPI – William Woodruff from Trail of Bits outlined PyPI’s security roadmap, including plans for binary transparency, counter attestations, and TOFU-style identity locking via lockfiles.
• Cosign: Keeping up with the Client Libraries – Zach Steindler from GitHub outlined plans for updating cosign to align with current ecosystem needs and improve interoperability, given recent changes in various client libraries.

Looking Forward

With attendees from major technology companies, academic institutions, and open source projects, SigstoreCon 2024 demonstrated not just the growing importance of software supply chain security for all stakeholders in the security community, but the central role that Sigstore and its associated community plays in software supply chain security. As the Sigstore community continues to grow and evolve, SigstoreCon will remain at the forefront of highlighting efforts across the ecosystem to improve software supply chain security. The recordings of the event is available.

For those interested in getting involved with Sigstore:

• Join the discussion in the Sigstore Slack workspace
• Participate in the sigstore-dev group
• Visit the project’s GitHub repositories

The full conference schedule, presentation slides, and additional resources can be found on the SigstoreCon website.