By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Resources
>
Blog
>
Article
April 3, 2025

Contributing to Sigstore: Lessons from an Enterprise Open Source Journey

Sigstore is a critical part of helping enterprise clients secure their delivery pipelines, remove Change Advisory Board (CAB) processes, and accelerate their journey to production.

Open source software has long been a driving force for innovation, transparency, and collaboration. As part of my role at Liatrio, I had the opportunity to contribute to Sigstore—a suite of services designed to enhance software supply chain security. Working on Sigstore wasn’t just a personal passion project; it was a critical part of helping our enterprise clients secure their delivery pipelines, remove cumbersome Change Advisory Board (CAB) processes, and accelerate their journey to production.

The Path to Sigstore Contributions

I first encountered Sigstore when I was assigned to a client who sought to implement an automated governance solution to be used by a wide variety of people. The goal was to eliminate manual CAB meetings for developers who opted in, streamlining the approval process and improving overall efficiency. As I delved into Sigstore’s components—such as Fulcio, Rekor, TSA, and Cosign—I quickly realized the transformative impact they could have on ensuring secure, verifiable software distribution.At Liatrio, our Secure Software Supply Chain service leverages these tools to help enterprises build robust, automated delivery pipelines. I began contributing by addressing smaller issues, joining discussions in the Sigstore Slack workspace, and understanding how each component integrated into the larger ecosystem. Over time, I submitted several pull requests across various Sigstore repositories, each one advancing our mission of delivering secure and reliable software solutions.

Architecture diagram including automation, visualization, etc.

Key Pull Requests

Here are some of the contributions I made as part of my work at Liatrio:

  • cosign#3600: Enhanced TSA certificate chain checks by better handling environment variables and TUF targets.
  • sigstore#1646: Updated core Sigstore functionality by refining TSA URI handling in custom metadata.
  • rekor#1627: Improved security by enabling Redis authentication.
  • fulcio#1870: Developed a lightweight cert-utility in Go to create and sign certificates using AWS KMS, GCP KMS, and Azure KMS.
  • scaffolding#934: Resolved a newline issue in TSA certificate chains for cleaner output.
  • timestamp-authority#889: Added useful templates and documentation to improve TSA usability.
  • helm-charts#792: Integrated an optional cronJob to update secrets automatically and avoid staleness.
  • securesystemslib#609: Extended support for AWS KMS signing, enhancing security capabilities.
  • fulcio#1931: Made leaf certificate creation optional, following community and maintainer feedback.

Each pull request was a step toward a more secure and transparent software supply chain—a mission that not only benefits the open source community but also fortifies the enterprise delivery pipelines we build at Liatrio.

Lessons Learned from Enterprise Open Source Contributions

Working on Sigstore as part of my work at Liatrio taught me several valuable lessons that have shaped both my development practices and our approach to enterprise security:

1. Avoid Burnout: Balance Passion with Practicality

Even when working on high-impact projects, it’s essential to set boundaries. At Liatrio, we know that overcommitting can lead to burnout. Maintaining a balance between contributions, full-time work, and personal life is key to long-term success.

2. Explain Your Changes Clearly

A well-documented pull request is as crucial as the code itself. Clear, structured PR descriptions help reviewers understand the context, rationale, and potential impacts of changes. This practice speeds up the review process and ensures that future contributors can trace the evolution of our solutions.

3. Engage Before Coding

Before diving into code, I learned the value of early engagement with the community. Whether it was opening issues or joining discussions, this initial step ensured that my contributions aligned with the project’s needs and saved time by preventing unnecessary work.

4. Clean Up Your Commits

A tidy commit history not only makes your contributions easier to review but also keeps the repository’s history clean and maintainable. Squashing and rebasing commits are practices I adopted early on, and they’ve paid off significantly in terms of project maintainability.

How Liatrio Helps Secure the Software Delivery Chain

At Liatrio, we empower enterprises to secure their entire software delivery chain—from source to production. Our Secure Software Supply Chain service integrates tools like Sigstore into your CI/CD workflows, ensuring that every code change is verifiable, tamper-resistant, and compliant with modern security standards.

We help organizations:

  • Eliminate Manual Approvals: By automating governance, we remove the bottleneck of CAB meetings, enabling faster, more agile deployments.
  • Enhance Code Integrity: Through advanced code signing and artifact attestations, we ensure that software delivered to production is authentic and secure.
  • Accelerate Onboarding: With streamlined, automated pipelines, new engineers can get up to speed quickly and start contributing within minutes rather than days.
  • Secure Every Step: From dependency management to container registry integrity, we embed security into every layer of the software delivery process.

Our approach has helped enterprise clients achieve measurable improvements in security and efficiency—allowing them to focus on innovation while we secure their pipelines.

Final Thoughts

Contributing to Sigstore has been an incredibly rewarding journey. Not only has it deepened my technical skills and enriched my approach to open source collaboration, but it has also reinforced the critical role that secure software delivery plays in today’s enterprise environments. At Liatrio, we’re proud to combine our passion for open source with a commitment to transforming how enterprises secure their software supply chain.

If you’re an enterprise looking to streamline and secure your software delivery process, I encourage you to explore how Liatrio’s comprehensive, automated approach can help. Whether you’re seeking to modernize your pipelines, enhance security, or simply reduce manual overhead, our team is here to support you every step of the way.

Are you contributing to open source? What lessons have you learned on your journey? Share your experiences, and let’s continue to build a more secure future together. Connect with us here.

Latest From Our Blog

4/3/2025
Automated Governance
Contributing to Sigstore: Lessons from an Enterprise Open Source Journey
2/11/2025
Enterprise
Revolutionizing DevEx: Liatrio and Backstage by Spotify Drive a 76% Increase in Development Velocity
2/6/2025
AI
AI Engineering is the Enterprise Technology Moat
6/25/2024
Enterprise
The Business Value of Observability: Why Enterprises Should Leverage the DORA Report
5/17/2024
Automated Governance
Lowering the Barrier of Entry for Automated Governance — GitHub's New Artifact Attestation Feature
5/2/2024
Security at Scale: Platform Engineering Enforces Security Best Practices
4/19/2024
IDPs and APIs: How Platform Engineering Supports Developer Experience (DevEx)
4/5/2024
Platform Engineering: Driving Developer Experience and Business Value
3/26/2024
Enterprise
Killing DevOps: The Rise and Fall of a Transformational Giant
3/22/2024
Enterprise Modernization
What Is Platform Engineering? The Concept Behind the Term
Read More on Our Blog
Ready to get started?

Contact Us

We'd love to learn more about your project and determine how we can help out.