npm and Sigstore: Provenance Comes to the World's Largest OSS Ecosystem

Automation

npm and Sigstore join forces to bring provenance to the largest open source ecosystem, simplifying package verification, and increasing trust through automated tracking and transparency.

Key takeaways
  • npm and Sigstore team up to provide provenance to the largest open source ecosystem.
  • Existing methods for verifying packages’ integrity (PGP) are cumbersome and don’t provide trust.
  • NPM will now require --providence flag when publishing a package.
  • Providence provides a way to get more certainty and concreteness into the software development flow.
  • Maintainers need a simple and automated way to provide build provenance.
  • The OpenSSF and GitHub are working together to integrate provenance into open source registries.
  • Sigstore CA will provide a transparency log (ReCore) to allow tracking and verification of builds.
  • Existing build processes can be modified to produce provable outputs.
  • Machine identity, not human identity, should be the focus of signature issuance.
  • Signing should be simple, and verifying should be automated.
  • Transparency is key to build trust and accountability in software development.

More talks

MICA: Green light for crypto assets in Europe? Unpacking the good and the bad

Beyond GenAI: What’s Next for the Enterprise? • Andrew Turner • GOTO 2023

Nina van Diermen - BERTopic to accelerate Ukrainian aid by the Red Cross

Bug Bounty Evolution: Not Your Grandson's Bug Bounty

ElixirConf 2023 - Michał Śledź - Rewrite Pion in Elixir

Creating Solutions. Together. - Aleksander Lorentzen - NDC Oslo 2024

Rizèl Scarlett - Level up with Copilot

Eitan Netzer & Oren Netzer - Real Time Machine Learning | PyData Global 2023