Sigstore & Post-Quantum Cryptography (2025) [Sigstore Blog]

How Sigstore is approaching the transition to post-quantum cryptographic algorithms, balancing unblocking experimentation with ongoing algorithm selection and implementation.

Verifying Sigstore Bundles as an End User [Sigstore Blog]

When verifying a Sigstore bundle you should know what instance it came from (public or private), what identities you trust, and which identity providers you trust to supply those identities.

Sidebar: P2P Video and File Sharing in the Browser

Sidebar lets you have video meetings and secure file sharing in your browser, directly between peers without having data pass through a central server.

What's in the SOSS: OpenSSF Mission, Vision, Strategy, and Roadmap [OpenSSF Podcast]

OpenSSF "What's in the SOSS?" podcast episode with Arun Gupta (Intel / OpenSSF Governing Board Chair) and I about the Mission, Vision, Strategy, and Roadmap for the OpenSSF and what we're particularly excited about for 2025.

What's in the SOSS: Dig Into Package Repository Security [OpenSSF Podcast]

OpenSSF "What's in the SOSS?" podcast episode with Jack Cable from CISA and I about the Principles for Package Repository Security and the Securing Software Repositories Working Group.

Sigstore Cosign: Keeping Up with the Client Libraries

Presentation at SigstoreCon about work we're doing to keep cosign interoperable with client libraries and things like npm provenance, Homebrew attestations, and PyPI attestations.

Lessons Learned: Scaling Out Securing Open Source

Presentation at Microsoft BlueHat on how the OpenSSF Securing Software Repositories Working Group assisted in developing security capabilties across PyPI, Homebrew, NuGet and Rust Crates.

The second half of software supply chain security on GitHub [GitHub Blog]

What the US public sector has been saying about the second half of supply chain security, and how GitHub can help you protect the integrity of the software you build.

cosign Verification of npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance [Sigstore Blog]

How to use cosign with new deployments of Sigstore where signed material is stored in the bundle format.

How to Make Programming Language Package Repositories More Secure [OpenSSF Blog]

How the OpenSSF Securing Repositories Working Group supports varied package repositories through security roadmaps, publishing implementation guidance of specific capabilities, and inventorying funding sources.

Public Sector + OpenSSF: Principles for Package Repository Security

An Open Source Summit North America talk with Jack Cable on releasing v0.1 of the Principles for Package Repository Security, to help open source package repositories with roadmaps and to reference in their applications for funding.

Releasing Principles for Package Repository Security [OpenSSF Blog]

Announcing the v0.1 release of Principles for Package Repository Security, a collaboration between the OpenSSF Securing Software Repositories Working Group and the Cybersecurity and Infrastructure Security Agency (CISA).

Making Go Binaries Smaller

Using Go's built-in compiler and linker tooling, along with a Python helper script, to find out which dependencies add the most size to the resulting binary.