SigstoreCon Supply Chain Day 2024

Sigstore has witnessed significant adoption since its launch, becoming a big player in software supply chain security. Research has primarily focused on identity verification and transparency log witnessing (i.e.,verifying log consistency). However, the semantics security (i.e., the content) of log entries remains largely unexplored. Given generic witnessing solutions are not one-size-fits-all, we analyze the dynamics of Rekor log entries to gain insights to enable better misbehavior detection and stronger identity verification. Our analysis answers these questions: * What are the trends in Sigstore adoption over time? * What are the patterns in certificates, and generated signatures? * What kinds of identities are involved in signing? * What actors are performing these signing actions?