More Software Engineering Radio episodes

Dan Lorenc on Sigstore thumbnail

Dan Lorenc on Sigstore

Published 18 Mar 2026

Duration: 39:04

Software supply chain attacks exploit vulnerabilities in development tools and open-source components, exemplified by the Shyhalood NPM breach, with SIGStore proposed as a cryptographic solution to verify software integrity, though challenges like enforcement and privacy persist in securing open-source ecosystems.

Episode Description

Dan Lorenc, co-founder and CEO of Chainguard, joins host Priyanka Raghavan to explore Sigstore and its role in securing the software supply chain. The...

Overview

Software supply chain attacks exploit vulnerabilities in the tools, libraries, and components used to build software, enabling malicious code injection into final products. These attacks target open-source components, third-party tools, and build systems, creating complex vulnerabilities across global ecosystems. As open-source adoption expands into critical systems, the attack surface has grown, prompting attackers to focus on supply chain weaknesses rather than direct system infiltration. A notable example is the Shyhalood attack, where a self-replicating worm compromised the NPM registry by stealing maintainers credentials, spreading malware to over 500 repositories and underscoring risks in credential theft and unsecured package distribution. While NPM eventually contained the attack, similar incidents highlight the persistent threat of supply chain exploitation, with potential for severe outcomes like ransomware or data theft.

SIGStore is presented as a critical solution to secure software supply chains by verifying the integrity of components through cryptographic signatures and transparency logs, ensuring software authenticity. Designed to address vulnerabilities like unauthorized code injection and credential theft, SIGStore links source code, builds, and packages using tamper-proof seals tied to trusted identities, such as email addresses or build systems. Unlike traditional methods like PGP, SIGStore scales for open-source ecosystems, automating signing and verification processes to reduce key management burdens. Its integration with tools like OpenID Connect and transparency logs allows organizations to audit signed components and detect malicious activity, such as unauthorized signatures or compromised emails. However, its effectiveness relies on widespread adoption and enforcement of verification policies, as signing alone does not prevent malicious code introduction during development or distribution.

Broader industry implications emphasize the necessity of securing open-source software, which is now embedded in critical infrastructure. The "weakest link" paradigm in supply chains means even a single vulnerability can compromise entire systems, necessitating comprehensive strategies. Tools like SIGStore aim to standardize verification practices, similar to how Lets Encrypt revolutionized HTTPS adoption. However, challenges remain, including balancing transparency with privacy, cultural shifts toward verification enforcement, and mitigating risks like typo-squatting or compromised identities. Additionally, while SIGStore ensures code origin and integrity, it does not address the contents maliciousness, requiring complementary policies and risk profiling. The evolution toward trust-based systems, leveraging transparency logs and identity verification, underscores the industrys shift toward securing supply chains as a foundational priority.

Recent Episodes of Software Engineering Radio

10 Jun 2026 Jure Leskovec on Relational Graph and Foundational Models

Predictive modeling faces challenges with AI's limitations in structured data, prompting solutions like graph databases and relational deep learning with attention mechanisms to enhance accuracy, scalability, and real-time updates for enterprise applications.

3 Jun 2026 Dave Airlie on Linux Kernel Maintenance

The Linux kernel, the largest global software project, uses a hierarchical maintainer system with 80,150 contributors managing subsystems like DRM through public review, structured development cycles, and evolving practices to address scalability, quality, and integration challenges.

27 May 2026 Dwayne McDaniel on the Engineering Challenges of Secrets Management

Managing secrets like credentials and API keys in software development risks leaks causing supply chain attacks (e.g., PyPy, Clot, Cisco) due to secrets sprawl, plaintext storage, and misuse, prompting solutions like time-bound credentials, decentralized systems, vault tools (e.g., HashiCorp Vault), and strategies such as credential rotation and encrypted storage amid over 28.65 million hard-coded secrets in GitHub in 2025.

20 May 2026 Rob Moffat on Risk-First Software Development

Recommended: Risk identification and management is a forgotten art

Software development prioritizes risk management through frameworks like test-driven development and agile, addressing hidden risks, AI deployment challenges, open-source dependencies, and organizational prioritization to balance innovation with safeguards.

13 May 2026 SE Radio 720: Martin Dilger on Understanding Eventsourcing

Recommended: Useful Architectural Pattern.

Event sourcing is a system design approach that records changes as sequential events to ensure historical traceability, uses event modeling for aligning systems with human workflows, contrasts with CRUD architectures, and emphasizes slice-based design, event streams, and practical applications like legacy modernization and workflow simplification.

More Software Engineering Radio episodes