A call to standardize on digital signatures for software security with Sigstore
As part of today’s White House Open Source Security Summit, we are calling on the software industry to standardize on Sigstore and on the U.S. government to signal its support. It has never been more clear nor the time more right to make this free service for digitally signing software artifacts a common standard, enabling a safer chain of custody that can be traced back to the source.
Chainguard is committing resources in the form of dollars and headcount towards the public infrastructure and network proposed by OpenSSF and will collaborate with our industry peers to deepen our work on interoperability to ensure Sigstore’s impact is felt across the software supply chain and every corner of the software ecosystem. We know the importance of interoperability in increasing adoption of these critical tools because of our work on the SLSA Framework and Software Bill of Materials (SBOMs). Interoperability is the linchpin in securing software throughout the supply chain.
This commitment includes a minimum of $1 million a year in support of Sigstore and a pledge to run our own node on the public infrastructure and network. We will immediately work to support the development necessary to implement Sigstore natively in software repositories that include RubyGems, PyPI and more. As co-creators of Sigstore and ongoing contributors, these pledges and commitments demonstrate our long-term commitment to Sigstore as a public, digital good.
These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project nor do they have dedicated staff to understand and integrate all of these tools. That’s one reason we started Chainguard and why our first product, Enforce, is the first product designed natively for Sigstore.
Sigstore is one of those foundational technologies that can change the culture of software development. And that’s exactly what is happening. Designed and built with maintainers for maintainers, it has already been widely adopted (most recently by the Kubernetes release team) by millions of developers all over the world. Now’s the time to formalize its role as the defacto standard for digital signatures in software development.
Read the The Open Source Software Security Mobilization Plan by the OpenSSF.
Share this article
Related articles
- News
Anchore Enterprise now validates Chainguard Libraries: prevent 98% of Python malware and eliminate high-severity CVE toil
Tazin Progga, Senior Product Manager, and Ross Gordon, Staff Product Marketing Manager
- News
Chainguard Joins IBM PDE Factory to Advance Trusted Open Source Software for Public Sector Missions
Tom White, Senior Director, Public Sector Partnerships
- News
Chainguard + Booz Allen: Delivering Trusted Open-Source Software to U.S. Government Agencies
Tom White, Senior Director, Public Sector Partners
- News
Chainguard Named on the Cloud 100 and a Best Workplace in 2025
Liz Egan, Chief Marketing Officer
- News
The Chainguard Slack Community is Here!
Kirby Koo, Corporate Marketing
- News
Exploring the Chainguarden at Black Hat USA 2025
Courtney Bennett, Director, Strategic Events