2 min

Developers object to GitHub’s suggestion to use Sigstore to enhance network security by connecting npm packages to their inputs.

GitHub, which runs the npm package management system, is offering to incorporate new security features to npm because npm is regularly used by many JavaScript and Typescript development companies. GitHub aims to connect npm to Sigstore services, which can provide a verified connection between npm’s framework and database.

Sigstore project

Backed by Linux Foundation, Giant Teach, and VMware, the Sigstore project was started in March 2021. Sigstore is essentially a collection of code signing tools used by programmers, software managers, package supervisors, security professionals and others.

The most common use of these tools is to eliminate the requirement for accessing control signatures by authorizing short-term buttons established on Open Identification Connect (OIDC) identities. Other than that, these tools document all measures in an accounting book. Registries like RubyGems and PyPI have already implemented Sigstore signing.


Developers rejected Sigstore while noting its flaws. The first is that Sigstore is still in its initial stages and characterizes itself as experimental. Moreover, the Sigstore proposal can only support general npm packages with public reference archives and server-based CI/CD providers.

The hazards of lock-in also appear to exist in Sigstore: it doesn’t connect with all packages. According to the RFC, “only GitHub Actions is completely supported in Fulcio presently.” The RFC further said it “would like to see assistance added for any general CI/CD provider”, such as Circle CI, GitLab, and Google Cloud Build. 

Key takeaways

The RFC has sparked much discussion about whether or not Sigstore should be used. The outlook is Sigstore is said to be a burden on developers rather than a benefit to users. Although developers are now looking for new opportunities, there is currently little incentive to produce programs that are maintainer focused.

Tip: Check Point finds ten malicious Python packages in PyPi