Software Engineering Radio - the podcast for professional software developers SE Radio 712: Dan Lorenc on Sigstore
Mar 18, 2026
Dan Lorenc, co-founder and CEO of Chainguard and software supply chain security expert. He explains what Sigstore does and why verifying origin and integrity matters. He walks through key components like Fulcio, Rekor, and Cosign. He covers integrating signing into CI/CD, signing ML models, and real-world adoption and tooling.
AI Snips
Chapters
Transcript
Episode notes
ShaiHulud Worm Spread By Stealing NPM Publish Credentials
- The ShaiHulud NPM worm started via maintainer account takeovers and became a self-replicating registry worm.
- Dan Lorenc described it stealing publish credentials so it propagated exponentially across NPM packages.
Source Review Doesn’t Guarantee Published Package Integrity
- Supply chain attacks exploit the gap between reviewed source code and transformed published packages.
- Dan Lorenc explained attackers can tamper after source review because packages are compiled and uploaded to registries like NPM separately.
Make Signing Free Automated And Ubiquitous
- Make signing free, automatic, and easy to drive broad adoption like Let's Encrypt did for TLS.
- Dan Lorenc recommends tooling that automates signing so verification can become ubiquitous and eventually required.