As part of today’s White House Open Source Security Summit, we are calling on the software industry to standardize on Sigstore and on the U.S. government to signal its support. It has never been more clear nor the time more right to make this free service for digitally signing software artifacts a common standard, enabling a safer chain of custody that can be traced back to the source.
Chainguard is committing resources in the form of dollars and headcount towards the public infrastructure and network proposed by OpenSSF and will collaborate with our industry peers to deepen our work on interoperability to ensure Sigstore’s impact is felt across the software supply chain and every corner of the software ecosystem. We know the importance of interoperability in increasing adoption of these critical tools because of our work on the SLSA Framework and Software Bill of Materials (SBOMs). Interoperability is the linchpin in securing software throughout the supply chain.
This commitment includes a minimum of $1 million a year in support of Sigstore and a pledge to run our own node on the public infrastructure and network. We will immediately work to support the development necessary to implement Sigstore natively in software repositories that include RubyGems, PyPI and more. As co-creators of Sigstore and ongoing contributors, these pledges and commitments demonstrate our long-term commitment to Sigstore as a public, digital good.
These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project nor do they have dedicated staff to understand and integrate all of these tools. That’s one reason we started Chainguard and why our first product, Enforce, is the first product designed natively for Sigstore.
Sigstore is one of those foundational technologies that can change the culture of software development. And that’s exactly what is happening. Designed and built with maintainers for maintainers, it has already been widely adopted (most recently by the Kubernetes release team) by millions of developers all over the world. Now’s the time to formalize its role as the defacto standard for digital signatures in software development.
Read the The Open Source Software Security Mobilization Plan by the OpenSSF.