-
Notifications
You must be signed in to change notification settings - Fork 82
Add Q2 2026 Sigstore updates #620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Hayden-IO
wants to merge
1
commit into
ossf:main
Choose a base branch
from
Hayden-IO:patch-6
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+53
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # 2026 Q2 Sigstore | ||
|
|
||
| ## Post-quantum cryptographic readiness | ||
|
|
||
| Following the community's [timeline and plan](https://docs.google.com/document/d/15wQW5RCk55_CrIOYEtzJ0IyazbBGdMK8KsaI8S8oJ7U/edit?pli=1&tab=t.0#heading=h.o3tezvh8snap) | ||
| to create and rollout infrastructure and clients that support post-quantum cryptographic signatures, we have now | ||
| authored a [design document](https://docs.google.com/document/d/1g3WQk4JSwQ26MGwB-Kkhu8ylrPF5JnE4v62d2tDC2xY/edit) | ||
| (please join [sigstore-dev](https://groups.google.com/g/sigstore-dev) to view) | ||
| with technical details on the infrastructure and client changes. We're excited | ||
| to get started and will have much to demo in the coming months. We welcome | ||
| any community feedback, particularly from those with private Sigstore deployments | ||
| to better understand their operational requirements. | ||
|
|
||
| ## Adoption highlights | ||
|
|
||
| * [Pixi](https://pixi.prefix.dev/latest/) is leveraging sigstore-rust to create attestations | ||
| * [mise](https://github.com/jdx/mise) is using sigstore-rust to verify GitHub artifact attestations | ||
|
|
||
| ## Rekor v2 as the default paused | ||
|
|
||
| Given our focus has shifted to supporting PQC, we will not pursue making Rekor v2 | ||
| the default log, as this would be a breaking change for ecosystems. The public instance | ||
| will still remain up, clients just won't write to it by default. | ||
|
|
||
| We have an upcoming [blog post](https://github.com/sigstore/sigstore-blog/pull/95) | ||
| with more details, including how to use Rekor v2 and benefits to clients that do | ||
| choose to switch over. | ||
|
|
||
| ## Cosign v3.1 | ||
|
|
||
| [Cosign v3.1](https://github.com/sigstore/cosign/releases/tag/v3.1.0) was recently released, | ||
| which deprecates a significant number of flags as we continue our efforts around signature | ||
| standardization with the [Bundle](https://blog.sigstore.dev/cosign-verify-end-user/) format. | ||
|
|
||
| Cosign v4, which will remove all deprecated flags, will follow shortly. Clients can stay on | ||
| v3.x if needed. | ||
|
|
||
| ## OpenSSF TI-funded log monitoring website | ||
|
|
||
| [Through OSSF TI funding](https://github.com/ossf/tac/issues/536), work continues to | ||
| build a website for monitoring the Rekor transparency log, akin to https://www.gopherwatch.org/. | ||
| See an early version [here](https://github.com/trailofbits/rekor-watch), which will be merged | ||
| into [sigstore/rekor-monitor](https://github.com/sigstore/rekor-monitor) shortly. We will | ||
| work with the broader community to identify an organization to stand up an instance of the monitor. | ||
|
|
||
| ## Funding requests and updates | ||
|
|
||
| We are not planning any additional funding requests at this time. | ||
|
|
||
| Updates for existing funding requests: | ||
|
|
||
| * [Log monitoring website](https://github.com/ossf/tac/issues/536) - Funds have been fully allocated with monthly invoicing, work is wrapping up | ||
| * [Rust client audit](https://github.com/ossf/tac/issues/574) - Trail of Bits will be completing this audit starting early Q3. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@steiza Any other organizations or tools to highlight?