Software Engineering Radio - the podcast for professional software developers SE Radio 712: Dan Lorenc on Sigstore
Mar 18, 2026
Dan Lorenc, co-founder and CEO of Chainguard and software supply chain security expert. He explains what Sigstore is for and how it links source to artifacts. Short pieces cover transparency logs, Fulcio, Rekor, and Cosign. Discussion includes CI/CD signing, real-world adoption, machine-learning model signing, and practical steps like centralizing builds and trying Cosign.
AI Snips
Chapters
Transcript
Episode notes
Short Lived Certificates Replace Manual Key Management
- Sigstore ties signatures to identities via OpenID Connect instead of long-lived keys to simplify developer workflows.
- Dan Lorenc explains short-lived certificates link signatures to email/identity providers so devs avoid manual key management.
Transparency Logs Provide Trust Through Openness
- Transparency logs provide an append-only public ledger so signatures can be audited and misissuance detected.
- Dan Lorenc notes logs make forgery detectable and let maintainers trace timestamps to investigate compromises.
Cosign Fulcio And Rekor Form Sigstore Core
- Sigstore tooling includes Cosign for containers, Fulcio for identity certificates, and Rekor for the transparency log.
- Dan Lorenc highlights the OpenSSF public-good instance runs these shared services for open source users.