History and Research
Over 100 contributors have pushed over 2,800 commits to Sigstore since its founding. Contributors to the project represent over 20 different organizations, including Red Hat, Google, Chainguard, Purdue University, VMware, Twitter, Citi, Charm, Anchore, and Iron Bank. Today, Sigstore Cosign has over 2,300 GitHub Stars and Sigstore Rekor has more than 3 million log entries. Today, there are over 1,200 active members on the public Slack channel, and many contributors and end users regularly attend Sigstore community meetings.
The Sigstore Rekor project was initiated by Luke Hinds with Red Hat as the founding company in mid-2020. Later, Bob Callaway and Dan Lorenc joined as co-founders of the Sigstore project, which launched in March 2021 with the three major projects of Rekor, Fulcio, and Cosign. Sigstore became a Linux Foundation project on March 9, 2021, citing founding members that include Red Hat, Google, and Purdue University. On July 28, 2021, the 1.0 version of Cosign was released, and the community is currently planning a general availability of Sigstore.
Academic and industry research related to software supply chain security, transparency, reproducibility, and more:
- Software Distribution Transparency and Auditability
- Contour: A Practical System for Binary Transparency
- Reproducible Builds: Break a log, good things come in trees
- Dependency Issues: Solving the World's Open-Source Software Security Problem
- Software Supply-Chain Security Reading List
Sigstore and Programming Language Communities
- Go: sigstore/sigstore
- Java and Maven:
- Rust: sigstore/sigstore-rs
Resources for Learning More
As a living open source project with an engaged community, there are a number of sites and platforms you can navigate to for updated information on Sigstore: