sig-clients

This is the repository for the Clients Special Interest Group (sig-clients) in the Sigstore project. This group has the following provisional mission until the next meeting where we'll discuss it:

Make Sigstore clients across languages/ecosystems easy-to-write, compatible, and secure by providing shared designs/documentation, data formats, and test suites.

In general, we'll try to avoid telling individual implementations what to do, though we may have criteria for various official statuses (e.g., what constitutes a "supported" client).

Projects

sig-clients doesn't own these, but these are relevant projects:

protobuf-specs: cross-client data formats, especially for serializing
sigstore-conformance: conformance test suites for clients
architecture-docs: specifications
Sigstore client implementations in various languages:
- Go: sigstore-go, Cosign, Gitsign,
- Java: sigstore-java
- JavaScript: sigstore-js
- Python: sigstore-python
- Ruby: sigstore-ruby
- Rust: sigstore-rs
policy-controller
Enterprise Contract

Get Involved

(You'll need to join sigstore-dev@googlegroups.com for access to many of these (to prevent spam).)

We welcome contributions from all! Great ways to help include:

Use a Sigstore client and provide feedback (in the form of GitHub issues, chatter on Slack, etc.).
Contribute to any of the above projects: you can just jump in on GitHub (generally best to file issues, ask whether anybody is working on something, etc. before just firing off a PR; see the CONTRIBUTORS.md or CONTRIBUTING.md in the respective repository).
Say hi in Slack!
Join a meeting (open to all community members; see below).

Meetings. Check the sigstore community calendar for meeting invitations/times (see community repository for more). We recognize that various constraints (time zones, connectivity, privacy concerns) mean that meetings aren't a great way for everybody to contribute. We strive to make important decisions asynchronously, via design documents and GitHub issues. At the same time, synchronous meetings can be really useful for hashing out complex issues quickly. We'll record these meetings (links should be in the notes docs).

sig-clients meeting (monthly; notes)
Sigstore Java (weekly; notes)
Sigstore Golang (biweekly; notes)

Slack. We also communicate on Slack. Channels that might be of interest include: #clients, #java, #ruby-gems, #sigstore-rust, #sigstore-go, #cosign, #gitsign.

Governence

This Sig is co-chaired by Fredrik Skogman and Appu Goundan

Roadmap

You'll need to join sigstore-dev@googlegroups.com for access to many of these (to prevent spam).

Last updated: 2023-07-07. See also project-wide roadmap (possibly out-of-date).

This currently represents @znewman01's brain dump; at the next client meeting, we'll work through this.

Short-term (months).

Goal: focusing on Cosign in the near-term as the most widely-used client. If other clients like what we're doing there, they can emulate it (assuming that it's in-scope for the client). Document expectations for clients.

Tech debt: Cosign refactor, port innards to sigstore-go (cosign#2462, cosign#844)
Bundles (cosign#2131)
Policy enhancements: improve Cosign UX
Complete the architecture docs draft and port it to GitHub.
Support language clients.
- Criteria for client maturity #5

Medium-term (quarters).

Goal: make Cosign more flexible

BYO PKI, private deployments
cosign#2858, cosign#2568, cosign#2632, cosign#2630, cosign#2808, cosign#2255
Policy enhancements
- Declarative verification
  - Along the lines of Hammurabi for web PKI, sigstore-go#35, sigstore-python#299.
  - Possibly using Rego/CUE (something datalog-inspired)
- Fancier policies
  - Unification between Cosign and policy-controller
  - e.g., SBOM sigstore/cosign#1954
Testing: conformance test suite
- "End-to-end" tests: hook up to clients
- "Fuzz tests"

Long-term (eventually).

Plumbing and porcelain model for Cosign.
Policy: sophisticated verification policies.
- Integration with TUF/in-toto.
Can we avoid writing every new Sigstore client from scratch?
<Your ideas here!>

Security