{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T15:40:27Z","timestamp":1772120427545,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":82,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3560596","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"2353-2367","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":33,"title":["Sigstore"],"prefix":"10.1145","author":[{"given":"Zachary","family":"Newman","sequence":"first","affiliation":[{"name":"Chainguard, Brooklyn, NY, USA"}]},{"given":"John Speed","family":"Meyers","sequence":"additional","affiliation":[{"name":"Chainguard, Falls Church, VA, USA"}]},{"given":"Santiago","family":"Torres-Arias","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363192"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"crossref","unstructured":"C. Adams P. Cain D. Pinka and R. Zuccherato. 2001. Internet X.509 Public Key Infrastructure Time-Stamp Protocol. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc3161  C. Adams P. Cain D. Pinka and R. Zuccherato. 2001. Internet X.509 Public Key Infrastructure Time-Stamp Protocol. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc3161","DOI":"10.17487\/rfc3161"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2015.72"},{"key":"e_1_3_2_1_4_1","unstructured":"The Update Framework authors. 2022. TUF. https:\/\/github.com\/theupdateframework\/tuf.  The Update Framework authors. 2022. TUF. https:\/\/github.com\/theupdateframework\/tuf."},{"key":"e_1_3_2_1_5_1","unstructured":"Andrew Ayer. 2021. Yeti 2022 not furnishing entries for STH 65569149. https:\/\/groups.google.com\/a\/chromium.org\/g\/ct-policy\/c\/PCkKU357M2Q\/. Accessed: 2022-04-30.  Andrew Ayer. 2021. Yeti 2022 not furnishing entries for STH 65569149. https:\/\/groups.google.com\/a\/chromium.org\/g\/ct-policy\/c\/PCkKU357M2Q\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_6_1","unstructured":"Richard Barnes. 2017. [meta] Binary Transparency on Firefox. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1341395.  Richard Barnes. 2017. [meta] Binary Transparency on Firefox. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1341395."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"R. Barnes J. Hoffman-Andrews D. McCarney and J. Kasten. 2019. Automatic Certificate Management Environment (ACME). Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc8555  R. Barnes J. Hoffman-Andrews D. McCarney and J. Kasten. 2019. Automatic Certificate Management Environment (ACME). Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc8555","DOI":"10.17487\/RFC8555"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.71"},{"key":"e_1_3_2_1_9_1","unstructured":"Joseph R. Biden  Jr. 2021. Executive Order on Improving the Nation's Cybersecurity. Accessed: 2022-04-30.  Joseph R. Biden Jr. 2021. Executive Order on Improving the Nation's Cybersecurity. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_10_1","volume-title":"30th USENIX Security Symposium, USENIX Security 2021","author":"Birge-Lee Henry","year":"2021","unstructured":"Henry Birge-Lee , Liang Wang , Daniel McCarney , Roland Shoemaker , Jennifer Rexford , and Prateek Mittal . 2021 . Experiences Deploying Multi-Vantage-Point Domain Validation at Let's Encrypt . In 30th USENIX Security Symposium, USENIX Security 2021 , August 11-13, 2021,, Michael Bailey and Rachel Greenstadt (Eds.). USENIX Association, Virtual Event, 4311--4327. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/birge-lee Henry Birge-Lee, Liang Wang, Daniel McCarney, Roland Shoemaker, Jennifer Rexford, and Prateek Mittal. 2021. Experiences Deploying Multi-Vantage-Point Domain Validation at Let's Encrypt. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021,, Michael Bailey and Rachel Greenstadt (Eds.). USENIX Association, Virtual Event, 4311--4327. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/birge-lee"},{"key":"e_1_3_2_1_11_1","volume-title":"Introduction to Computer Security","author":"Bishop Matt","unstructured":"Matt Bishop . 2004. Introduction to Computer Security . Addison-Wesley Professional , Boston . Matt Bishop. 2004. Introduction to Computer Security. Addison-Wesley Professional, Boston."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_13_1","volume-title":"IEEE INFOCOM 2018-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, IEEE","author":"Fontugne Romain","year":"2018","unstructured":"Chia-ling Chan, Romain Fontugne , Kenjiro Cho , and Shigeki Goto . 2018 . Monitoring TLS adoption using backbone and edge traffic . In IEEE INFOCOM 2018-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, IEEE , Honolulu, HI, 208--213. Chia-ling Chan, Romain Fontugne, Kenjiro Cho, and Shigeki Goto. 2018. Monitoring TLS adoption using backbone and edge traffic. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, IEEE, Honolulu, HI, 208--213."},{"key":"e_1_3_2_1_14_1","unstructured":"Timothy Chen. 2018. One Billion Domains. https:\/\/www.domaintools.com\/resources\/blog\/one-billion-domains. Accessed: 2022-04--30.  Timothy Chen. 2018. One Billion Domains. https:\/\/www.domaintools.com\/resources\/blog\/one-billion-domains. Accessed: 2022-04--30."},{"key":"e_1_3_2_1_16_1","unstructured":"Mozilla Developer Network Contributors. 2022. Certificate Transparency. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Certificate_Transparency. Accessed: 2022-04-30.  Mozilla Developer Network Contributors. 2022. Certificate Transparency. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Certificate_Transparency. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"crossref","unstructured":"M. Cooper Y. Dzambasow P. Hesse S. Joseph and R. Nicholas. 2005. Internet X.509 Public Key Infrastructure: Certification Path Building (RFC 5280). Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc5280  M. Cooper Y. Dzambasow P. Hesse S. Joseph and R. Nicholas. 2005. Internet X.509 Public Key Infrastructure: Certification Path Building (RFC 5280). Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc5280","DOI":"10.17487\/rfc4158"},{"key":"e_1_3_2_1_18_1","unstructured":"Frank Dennis. 2015. Minisign. https:\/\/jedisct1.github.io\/minisign\/. Accessed: 2020-04--30.  Frank Dennis. 2015. Minisign. https:\/\/jedisct1.github.io\/minisign\/. Accessed: 2020-04--30."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/332186.332286"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1515\/popets-2017-0052"},{"key":"e_1_3_2_1_21_1","unstructured":"F-Droid. 2022. Security Model. https:\/\/f-droid.org\/docs\/Security_Model\/. Accessed: 2022-04-30.  F-Droid. 2022. Security Model. https:\/\/f-droid.org\/docs\/Security_Model\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"crossref","unstructured":"D. Fett B. Campbell J. Bradley T. Lodderstedt M. Jones and D. Waite. 2022. Internet Draft: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Technical Report. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-dpop  D. Fett B. Campbell J. Bradley T. Lodderstedt M. Jones and D. Waite. 2022. Internet Draft: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Technical Report. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-dpop","DOI":"10.17487\/RFC9449"},{"key":"e_1_3_2_1_23_1","unstructured":"The Linux Foundation. 2019. The Linux Foundation's Automated Compliance Work Garners New Funding Advances Tools Development. https:\/\/www.linuxfoundation.org\/press-release\/the-linux-foundations-automated-compliance-work-garners-new-funding-advances-tools-development\/. Accessed: 2022-04-30.  The Linux Foundation. 2019. The Linux Foundation's Automated Compliance Work Garners New Funding Advances Tools Development. https:\/\/www.linuxfoundation.org\/press-release\/the-linux-foundations-automated-compliance-work-garners-new-funding-advances-tools-development\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_24_1","volume-title":"SLSA: Supply-chain levels for software artifacts. https:\/\/slsa.dev. Accessed: 2022-04-30.","author":"Foundation The Linux","year":"2022","unstructured":"The Linux Foundation . 2022 a. SLSA: Supply-chain levels for software artifacts. https:\/\/slsa.dev. Accessed: 2022-04-30. The Linux Foundation. 2022a. SLSA: Supply-chain levels for software artifacts. https:\/\/slsa.dev. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_25_1","unstructured":"The Linux Foundation. 2022b. Tekton. https:\/\/tekton.dev. Accessed: 2022-04-30.  The Linux Foundation. 2022b. Tekton. https:\/\/tekton.dev. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1073001.1073003"},{"key":"e_1_3_2_1_27_1","volume-title":"USENIX","author":"Geer Dan","unstructured":"Dan Geer , Bentz Tozer , and John Speed Meyers . 2020. For good measure: Counting broken links: A quant's view of software supply chain security . In USENIX ; Login :, Vol. 45 , no. 4. USENIX Association, Berkeley, California. Dan Geer, Bentz Tozer, and John Speed Meyers. 2020. For good measure: Counting broken links: A quant's view of software supply chain security. In USENIX; Login:, Vol. 45, no. 4. USENIX Association, Berkeley, California."},{"key":"e_1_3_2_1_28_1","volume-title":"Fedora servers breached after external compromise. The Register (January","author":"Goodin Dan","year":"2011","unstructured":"Dan Goodin . 2011. Fedora servers breached after external compromise. The Register (January 2011 ). https:\/\/www.theregister.com\/2011\/01\/25\/fedora_server_compromised\/. Accessed : 2022-04-30. Dan Goodin. 2011. Fedora servers breached after external compromise. The Register (January 2011). https:\/\/www.theregister.com\/2011\/01\/25\/fedora_server_compromised\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_29_1","unstructured":"Inc. Google. 2016. Trillian. https:\/\/github.com\/google\/trillian. Accessed: 2022-04--30.  Inc. Google. 2016. Trillian. https:\/\/github.com\/google\/trillian. Accessed: 2022-04--30."},{"key":"e_1_3_2_1_30_1","unstructured":"Google Inc. 2019. Go Module Mirror Index and Checksum Database. https:\/\/sum.golang.org\/. Accessed: 2022-04-30.  Google Inc. 2019. Go Module Mirror Index and Checksum Database. https:\/\/sum.golang.org\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_31_1","volume-title":"Gentoo Linux server compromised. https:\/\/www.zdnet.com\/article\/gentoo-linux-server-compromised\/. ZDNet","author":"Gray Patrick","year":"2003","unstructured":"Patrick Gray . 2003. Gentoo Linux server compromised. https:\/\/www.zdnet.com\/article\/gentoo-linux-server-compromised\/. ZDNet ( 2003 ). Accessed : 2022-04-30. Patrick Gray. 2003. Gentoo Linux server compromised. https:\/\/www.zdnet.com\/article\/gentoo-linux-server-compromised\/. ZDNet (2003). Accessed: 2022-04-30."},{"key":"e_1_3_2_1_32_1","unstructured":"Matthew Green. 2014. What's the Matter with PGP? https:\/\/blog.cryptographyengineering.com\/2014\/08\/13\/whats-matter-with-pgp\/. Accessed: 2020-04-30.  Matthew Green. 2014. What's the Matter with PGP? https:\/\/blog.cryptographyengineering.com\/2014\/08\/13\/whats-matter-with-pgp\/. Accessed: 2020-04-30."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-91625-1_8"},{"key":"e_1_3_2_1_35_1","volume-title":"Top 1 Million Analysis --","author":"Helme Scott","year":"2021","unstructured":"Scott Helme . 2021. Top 1 Million Analysis -- November 2021 . https:\/\/scotthelme.co.uk\/top-1-million-analysis-november-2021\/. Accessed: 2022-04-30. Scott Helme. 2021. Top 1 Million Analysis -- November 2021. https:\/\/scotthelme.co.uk\/top-1-million-analysis-november-2021\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_36_1","volume-title":"Updating IoT devices: challenges and potential approaches. In 2020 Global Internet of Things Summit (GIoTS)","author":"Hern\u00e1ndez-Ramos Jos\u00e9 L","unstructured":"Jos\u00e9 L Hern\u00e1ndez-Ramos , Gianmarco Baldini , Sara N Matheu , and Antonio Skarmeta . 2020. Updating IoT devices: challenges and potential approaches. In 2020 Global Internet of Things Summit (GIoTS) . IEEE, IEEE , Dublin, Ireland , 1--5. Jos\u00e9 L Hern\u00e1ndez-Ramos, Gianmarco Baldini, Sara N Matheu, and Antonio Skarmeta. 2020. Updating IoT devices: challenges and potential approaches. In 2020 Global Internet of Things Summit (GIoTS). IEEE, IEEE, Dublin, Ireland, 1--5."},{"key":"e_1_3_2_1_37_1","volume-title":"Sigstore: An open answer to software supply chain trust and security. https:\/\/www.redhat.com\/en\/blog\/sigstore-open-answer-software-supply-chain-trust-and-security. Accessed: 2022-04-30.","author":"Hinds Luke","year":"2021","unstructured":"Luke Hinds . 2021 . Sigstore: An open answer to software supply chain trust and security. https:\/\/www.redhat.com\/en\/blog\/sigstore-open-answer-software-supply-chain-trust-and-security. Accessed: 2022-04-30. Luke Hinds. 2021. Sigstore: An open answer to software supply chain trust and security. https:\/\/www.redhat.com\/en\/blog\/sigstore-open-answer-software-supply-chain-trust-and-security. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_38_1","volume-title":"The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods. CoRR","author":"Holz Ralph","year":"2019","unstructured":"Ralph Holz , Johanna Amann , Abbas Razaghpanah , and Narseo Vallina-Rodriguez . 2019. The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods. CoRR , Vol. abs\/ 1907 .12762 ( 2019 ). showeprint[arXiv]1907.12762 http:\/\/arxiv.org\/abs\/1907.12762 Ralph Holz, Johanna Amann, Abbas Razaghpanah, and Narseo Vallina-Rodriguez. 2019. The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods. CoRR, Vol. abs\/1907.12762 (2019). showeprint[arXiv]1907.12762 http:\/\/arxiv.org\/abs\/1907.12762"},{"key":"e_1_3_2_1_39_1","unstructured":"Justin Hutchings. 2021. Safeguard your containers with new container signing capability in GitHub Actions. https:\/\/github.blog\/2021--12-06-safeguard-container-signing-capability-actions. Accessed: 2022-04-30.  Justin Hutchings. 2021. Safeguard your containers with new container signing capability in GitHub Actions. https:\/\/github.blog\/2021--12-06-safeguard-container-signing-capability-actions. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_40_1","unstructured":"kpcyrd. 2021. pacman-bintrans. https:\/\/github.com\/kpcyrd\/pacman-bintrans. Accessed: 2022-04-30.  kpcyrd. 2021. pacman-bintrans. https:\/\/github.com\/kpcyrd\/pacman-bintrans. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_41_1","volume-title":"JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT. In 28th USENIX Security Symposium (USENIX Security 19)","author":"Kumar Sam","unstructured":"Sam Kumar , Yuncong Hu , Michael P Andersen , Raluca Ada Popa , and David E. Culler . 2019 . JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT. In 28th USENIX Security Symposium (USENIX Security 19) . USENIX Association, Santa Clara, CA, 1519--1536. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/kumar-sam Sam Kumar, Yuncong Hu, Michael P Andersen, Raluca Ada Popa, and David E. Culler. 2019. JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1519--1536. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/kumar-sam"},{"key":"e_1_3_2_1_42_1","volume-title":"Uptane: Securing Software Updates for Automobiles. 14th ESCAR Europe","author":"Kuppusamy Trishank Karthik","year":"2016","unstructured":"Trishank Karthik Kuppusamy , Akan Brown , Sebastien Awwad , Damon McCoy , Russ Bielawski , Cameron Mott , Sam Lauzon , Andr\u00e9 Weimerskirch , and Justin Cappos . 2016 a. Uptane: Securing Software Updates for Automobiles. 14th ESCAR Europe (2016). Trishank Karthik Kuppusamy, Akan Brown, Sebastien Awwad, Damon McCoy, Russ Bielawski, Cameron Mott, Sam Lauzon, Andr\u00e9 Weimerskirch, and Justin Cappos. 2016a. Uptane: Securing Software Updates for Automobiles. 14th ESCAR Europe (2016)."},{"key":"e_1_3_2_1_43_1","volume-title":"13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16)","author":"Kuppusamy Trishank Karthik","year":"2016","unstructured":"Trishank Karthik Kuppusamy , Santiago Torres-Arias , Vladimir Diaz , and Justin Cappos . 2016 b. Diplomat: Using delegations to protect community repositories . In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16) . USENIX, Santa Clara, CA, 567--581. Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016b. Diplomat: Using delegations to protect community repositories. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX, Santa Clara, CA, 567--581."},{"key":"e_1_3_2_1_44_1","volume-title":"Reproducible Builds: Increasing the Integrity of Software Supply Chains. CoRR","author":"Lamb Chris","year":"2021","unstructured":"Chris Lamb and Stefano Zacchiroli . 2021 . Reproducible Builds: Increasing the Integrity of Software Supply Chains. CoRR , Vol. abs\/ 2104 .06020 (2021). [arXiv]2104.06020 https:\/\/arxiv.org\/abs\/2104.06020 Chris Lamb and Stefano Zacchiroli. 2021. Reproducible Builds: Increasing the Integrity of Software Supply Chains. CoRR, Vol. abs\/2104.06020 (2021). [arXiv]2104.06020 https:\/\/arxiv.org\/abs\/2104.06020"},{"key":"e_1_3_2_1_45_1","unstructured":"Latacora LLC. 2019. The PGP Problem. https:\/\/latacora.micro.blog\/2019\/07\/16\/the-pgp-problem.html. Accessed: 2020-04-30.  Latacora LLC. 2019. The PGP Problem. https:\/\/latacora.micro.blog\/2019\/07\/16\/the-pgp-problem.html. Accessed: 2020-04-30."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Ben Laurie Adam Langley and Emilia Kasper. 2013. Certificate Transparency. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc6962  Ben Laurie Adam Langley and Emilia Kasper. 2013. Certificate Transparency. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc6962","DOI":"10.17487\/rfc6962"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"crossref","unstructured":"Ben Laurie E. Messeri and R. Stradling. 2021. Certificate Transparency Version 2.0. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc9162  Ben Laurie E. Messeri and R. Stradling. 2021. Certificate Transparency Version 2.0. Technical Report. Internet Engineering Task Force. http:\/\/tools.ietf.org\/html\/rfc9162","DOI":"10.17487\/RFC9162"},{"key":"e_1_3_2_1_48_1","volume-title":"Fedora reboots updates after hack. https:\/\/www.zdnet.com\/article\/fedora-reboots-updates-after-hack\/. ZDNet","author":"LeMay Renai","year":"2008","unstructured":"Renai LeMay . 2008. Fedora reboots updates after hack. https:\/\/www.zdnet.com\/article\/fedora-reboots-updates-after-hack\/. ZDNet ( 2008 ). Accessed : 2022-04-30. Renai LeMay. 2008. Fedora reboots updates after hack. https:\/\/www.zdnet.com\/article\/fedora-reboots-updates-after-hack\/. ZDNet (2008). Accessed: 2022-04-30."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_18"},{"key":"e_1_3_2_1_50_1","volume-title":"Reproducible Builds: Break a log, good things come in trees. Master's thesis","author":"Linderud Morten","year":"2019","unstructured":"Morten Linderud . 2019 . Reproducible Builds: Break a log, good things come in trees. Master's thesis . The University of Bergen . Morten Linderud. 2019. Reproducible Builds: Break a log, good things come in trees. Master's thesis. The University of Bergen."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.32"},{"key":"e_1_3_2_1_52_1","unstructured":"Moxie Marlinspike. 2015. GPG and me. https:\/\/moxie.org\/2015\/02\/24\/gpg-and-me.html. Accessed: 2022-04-30.  Moxie Marlinspike. 2015. GPG and me. https:\/\/moxie.org\/2015\/02\/24\/gpg-and-me.html. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/571825.571840"},{"key":"e_1_3_2_1_54_1","volume-title":"Think Global","author":"Meiklejohn Sarah","year":"2020","unstructured":"Sarah Meiklejohn , Pavel Kalinnikov , Cindy S. Lin , Martin Hutchinson , Gary Belvin , Mariana Raykova , and Al Cutter . 2020. Think Global , Act Local : Gossip and Client Audits in Verifiable Data Structures. CoRR , Vol. abs\/ 2011 .04551 ( 2020 ). [arXiv]2011.04551 https:\/\/arxiv.org\/abs\/2011.04551 Sarah Meiklejohn, Pavel Kalinnikov, Cindy S. Lin, Martin Hutchinson, Gary Belvin, Mariana Raykova, and Al Cutter. 2020. Think Global, Act Local: Gossip and Client Audits in Verifiable Data Structures. CoRR, Vol. abs\/2011.04551 (2020). [arXiv]2011.04551 https:\/\/arxiv.org\/abs\/2011.04551"},{"key":"e_1_3_2_1_55_1","volume-title":"24th USENIX Security Symposium (USENIX Security 15)","author":"Melara Marcela S","year":"2015","unstructured":"Marcela S Melara , Aaron Blankstein , Joseph Bonneau , Edward W Felten , and Michael J Freedman . 2015 . {CONIKS}: Bringing Key Transparency to End Users . In 24th USENIX Security Symposium (USENIX Security 15) . USENIX Association, Washington, DC, 383--398. Marcela S Melara, Aaron Blankstein, Joseph Bonneau, Edward W Felten, and Michael J Freedman. 2015. {CONIKS}: Bringing Key Transparency to End Users. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, DC, 383--398."},{"key":"e_1_3_2_1_57_1","volume-title":"Conference on the theory and application of cryptographic techniques. Springer","author":"Merkle Ralph C","year":"1987","unstructured":"Ralph C Merkle . 1987 . A digital signature based on a conventional encryption function . In Conference on the theory and application of cryptographic techniques. Springer , Springer, Berlin, 369--378. Ralph C Merkle. 1987. A digital signature based on a conventional encryption function. In Conference on the theory and application of cryptographic techniques. Springer, Springer, Berlin, 369--378."},{"key":"e_1_3_2_1_58_1","volume-title":"Association for Computing Machinery","author":"Navarro Leija Omar S.","unstructured":"Omar S. Navarro Leija , Kelly Shiptoski , Ryan G. Scott , Baojun Wang , Nicholas Renner , Ryan R. Newton , and Joseph Devietti . 2020. Reproducible Containers . Association for Computing Machinery , New York, NY, USA , 167--182. https:\/\/doi.org\/10.1145\/3373376.3378519 10.1145\/3373376.3378519 Omar S. Navarro Leija, Kelly Shiptoski, Ryan G. Scott, Baojun Wang, Nicholas Renner, Ryan R. Newton, and Joseph Devietti. 2020. Reproducible Containers. Association for Computing Machinery, New York, NY, USA, 167--182. https:\/\/doi.org\/10.1145\/3373376.3378519"},{"key":"e_1_3_2_1_59_1","volume-title":"26th USENIX Security Symposium (USENIX Security '17)","author":"Nikitin K.","year":"2017","unstructured":"K. Nikitin , L. Kokoris-Kogias , P. Jovanovic , N. Gailly , L. Gasser , I. Khoffi , J. Cappos , and Ford. B. 2017 . CHAINIAC: Software-Update Transparency via Collectively Signed Skipchains and Verified Builds . In 26th USENIX Security Symposium (USENIX Security '17) . USENIX Association, Vancouver, BC, Canada, 1271--1287. K. Nikitin, L. Kokoris-Kogias, P. Jovanovic, N. Gailly, L. Gasser, I. Khoffi, J. Cappos, and Ford. B. 2017. CHAINIAC: Software-Update Transparency via Collectively Signed Skipchains and Verified Builds. In 26th USENIX Security Symposium (USENIX Security '17). USENIX Association, Vancouver, BC, Canada, 1271--1287."},{"key":"e_1_3_2_1_60_1","unstructured":"Notary Project. 2015. Notary. https:\/\/github.com\/notaryproject\/notary. Accessed: 2022-04-30.  Notary Project. 2015. Notary. https:\/\/github.com\/notaryproject\/notary. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_61_1","unstructured":"OpenID Foundation. 2014. OpenID Connect. https:\/\/openid.net\/connect\/. Accessed: 2022-04--30.  OpenID Foundation. 2014. OpenID Connect. https:\/\/openid.net\/connect\/. Accessed: 2022-04--30."},{"key":"e_1_3_2_1_62_1","unstructured":"Justin Pagano. 2021. Securing the Supply Chain: Lessons Learned from the Codecov Compromise. https:\/\/www.rapid7.com\/blog\/post\/2021\/07\/09\/securing-the-supply-chain-lessons-learned-from-the-codecov-compromise\/. Accessed: 2022-04-30.  Justin Pagano. 2021. Securing the Supply Chain: Lessons Learned from the Codecov Compromise. https:\/\/www.rapid7.com\/blog\/post\/2021\/07\/09\/securing-the-supply-chain-lessons-learned-from-the-codecov-compromise\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_63_1","unstructured":"Python Packaging Authority (PyPA). 2022. Project Summaries. https:\/\/packaging.python.org\/en\/latest\/key_projects\/. Accessed: 2022-04-30.  Python Packaging Authority (PyPA). 2022. Project Summaries. https:\/\/packaging.python.org\/en\/latest\/key_projects\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_64_1","volume-title":"Reproducible Builds: A set of software development practices that create an independently-verifiable path from source to binary code. https:\/\/reproducible-builds.org\/. Accessed: 2022-04-30.","author":"Builds Reproducible","year":"2015","unstructured":"Reproducible Builds . 2015 . Reproducible Builds: A set of software development practices that create an independently-verifiable path from source to binary code. https:\/\/reproducible-builds.org\/. Accessed: 2022-04-30. Reproducible Builds. 2015. Reproducible Builds: A set of software development practices that create an independently-verifiable path from source to binary code. https:\/\/reproducible-builds.org\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_65_1","unstructured":"Reuters Staff. 2021. SolarWinds hack was 'largest and most sophisticated attack' ever: Microsoft president. https:\/\/www.reuters.com\/article\/us-cyber-solarwinds-microsoft\/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R. Accessed: 2022-04-30.  Reuters Staff. 2021. SolarWinds hack was 'largest and most sophisticated attack' ever: Microsoft president. https:\/\/www.reuters.com\/article\/us-cyber-solarwinds-microsoft\/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_66_1","volume-title":"Fourteenth Symposium on Usable Privacy and Security (SOUPS","author":"Ruoti Scott","year":"2018","unstructured":"Scott Ruoti , Jeff Andersen , Tyler Monson , Daniel Zappala , and Kent Seamons . 2018 . A comparative usability study of key management in secure email . In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 375--394. Scott Ruoti, Jeff Andersen, Tyler Monson, Daniel Zappala, and Kent Seamons. 2018. A comparative usability study of key management in secure email. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 375--394."},{"key":"e_1_3_2_1_67_1","volume-title":"Survivable Key Compromise in Software Update Systems. In The 17th ACM Conference on Computer and Communications Security (CCS '10)","author":"Samuel Justin","year":"2010","unstructured":"Justin Samuel , Nick Mathewson , Justin Cappos , and Roger Dingledine . 2010 . Survivable Key Compromise in Software Update Systems. In The 17th ACM Conference on Computer and Communications Security (CCS '10) (Chicago, IL). ACM, Chicago, IL. Justin Samuel, Nick Mathewson, Justin Cappos, and Roger Dingledine. 2010. Survivable Key Compromise in Software Update Systems. In The 17th ACM Conference on Computer and Communications Security (CCS '10) (Chicago, IL). ACM, Chicago, IL."},{"key":"e_1_3_2_1_68_1","volume-title":"Symposium On Usable Privacy and Security. ACM, ACM","author":"Sheng Steve","year":"2006","unstructured":"Steve Sheng , Levi Broderick , Colleen Alison Koranda , and Jeremy J Hyland . 2006 . Why johnny still can't encrypt: evaluating the usability of email encryption software . In Symposium On Usable Privacy and Security. ACM, ACM , Pittsburgh, PA, 3--4. Steve Sheng, Levi Broderick, Colleen Alison Koranda, and Jeremy J Hyland. 2006. Why johnny still can't encrypt: evaluating the usability of email encryption software. In Symposium On Usable Privacy and Security. ACM, ACM, Pittsburgh, PA, 3--4."},{"key":"e_1_3_2_1_69_1","unstructured":"Smallstep Labs Inc. 2020. smallstep\/certificates: A private certificate authority. https:\/\/github.com\/smallstep\/certificates. Accessed: 2022-08-22.  Smallstep Labs Inc. 2020. smallstep\/certificates: A private certificate authority. https:\/\/github.com\/smallstep\/certificates. Accessed: 2022-08-22."},{"key":"e_1_3_2_1_70_1","volume-title":"Technical Report","author":"Sporny Manu","unstructured":"Manu Sporny , Dave Longley , Markus Sabadello , Drummond Reed , Orie Steele , and Christopher Allen . 2021. Decentralized Identifiers (DIDs) v1.0. Technical Report . World Wide Web Consortium (W 3C). Manu Sporny, Dave Longley, Markus Sabadello, Drummond Reed, Orie Steele, and Christopher Allen. 2021. Decentralized Identifiers (DIDs) v1.0. Technical Report. World Wide Web Consortium (W3C)."},{"key":"e_1_3_2_1_71_1","unstructured":"SSLMate. 2022. Certificate Transparency Log Growth. https:\/\/sslmate.com\/labs\/ct_growth\/. Accessed: 2022-04-30.  SSLMate. 2022. Certificate Transparency Log Growth. https:\/\/sslmate.com\/labs\/ct_growth\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_72_1","unstructured":"Donald Stufft. 2016. PyPI and GPG Signatures. https:\/\/mail.python.org\/pipermail\/distutils-sig\/2016-May\/028933.html Accessed: 2022-09-07.  Donald Stufft. 2016. PyPI and GPG Signatures. https:\/\/mail.python.org\/pipermail\/distutils-sig\/2016-May\/028933.html Accessed: 2022-09-07."},{"key":"e_1_3_2_1_73_1","unstructured":"The SPIFFE authors. 2022. Secure Production Identity Framework for Everyone. https:\/\/spiffe.io\/. Accessed: 2022-04-30.  The SPIFFE authors. 2022. Secure Production Identity Framework for Everyone. https:\/\/spiffe.io\/. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_74_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Torres-Arias Santiago","year":"2019","unstructured":"Santiago Torres-Arias , Hammad Afzali , Trishank Karthik Kuppusamy , Reza Curtmola , and Justin Cappos . 2019 . in-toto: Providing farm-to-table guarantees for bits and bytes . In 28th USENIX Security Symposium (USENIX Security 19) . USENIX Association, Santa Clara, CA, 1393--1410. Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. 2019. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1393--1410."},{"key":"e_1_3_2_1_75_1","volume-title":"25th USENIX Security Symposium (USENIX Security '16)","author":"Torres-Arias Santiago","year":"2016","unstructured":"Santiago Torres-Arias , Anil Kumar Ammula , Reza Curtmola , and J Cappos . 2016 . On omitting commits and committing omissions: Preventing Git metadata tampering that (re) introduces software vulnerabilities . In 25th USENIX Security Symposium (USENIX Security '16) . USENIX Association, Austin, TX, 379--395. Santiago Torres-Arias, Anil Kumar Ammula, Reza Curtmola, and J Cappos. 2016. On omitting commits and committing omissions: Preventing Git metadata tampering that (re) introduces software vulnerabilities. In 25th USENIX Security Symposium (USENIX Security '16). USENIX Association, Austin, TX, 379--395."},{"key":"e_1_3_2_1_76_1","unstructured":"Uptane Alliance. 2018. Uptane -- IEEE-ISTO 6100.1.0.0 Uptane Standard for Design and Implementation. https:\/\/uptane.github.io\/papers\/ieee-isto-6100.1.0.0.uptane-standard.html.  Uptane Alliance. 2018. Uptane -- IEEE-ISTO 6100.1.0.0 Uptane Standard for Design and Implementation. https:\/\/uptane.github.io\/papers\/ieee-isto-6100.1.0.0.uptane-standard.html."},{"key":"e_1_3_2_1_77_1","volume-title":"Department of Homeland Security","author":"U.S. Department of Commerce and U.S.","year":"2022","unstructured":"U.S. Department of Commerce and U.S. Department of Homeland Security . 2022 . Assessment of the critical supply chains supporting the U.S. information and communications technology industry. Technical Report. U.S. Department of Commerce and U.S. Department of Homeland Security . U.S. Department of Commerce and U.S. Department of Homeland Security. 2022. Assessment of the critical supply chains supporting the U.S. information and communications technology industry. Technical Report. U.S. Department of Commerce and U.S. Department of Homeland Security."},{"key":"e_1_3_2_1_78_1","volume-title":"I'm throwing in the towel on PGP, and I work in security. Ars Technica","author":"Valsorda Filippo","year":"2016","unstructured":"Filippo Valsorda . 2016. I'm throwing in the towel on PGP, and I work in security. Ars Technica ( 2016 ). https:\/\/arstechnica.com\/information-technology\/2016\/12\/op-ed-im-giving-up-on-pgp\/ Accessed : 2022-04-30. Filippo Valsorda. 2016. I'm throwing in the towel on PGP, and I work in security. Ars Technica (2016). https:\/\/arstechnica.com\/information-technology\/2016\/12\/op-ed-im-giving-up-on-pgp\/ Accessed: 2022-04-30."},{"key":"e_1_3_2_1_79_1","volume-title":"Red Hat's Ceph and Inktank code repositories were cracked. https:\/\/www.zdnet.com\/article\/red-hats-ceph-and-inktank-code-repositories-were-cracked\/. ZDNet","author":"Vaughan-Nichols Steven","year":"2015","unstructured":"Steven Vaughan-Nichols . 2015. Red Hat's Ceph and Inktank code repositories were cracked. https:\/\/www.zdnet.com\/article\/red-hats-ceph-and-inktank-code-repositories-were-cracked\/. ZDNet ( 2015 ). Accessed : 2022-04-30. Steven Vaughan-Nichols. 2015. Red Hat's Ceph and Inktank code repositories were cracked. https:\/\/www.zdnet.com\/article\/red-hats-ceph-and-inktank-code-repositories-were-cracked\/. ZDNet (2015). Accessed: 2022-04-30."},{"key":"e_1_3_2_1_80_1","unstructured":"Luis Villa. 2021. Setting new expectations for open source maintainers. https:\/\/opensource.com\/article\/21\/8\/open-source-maintainers. Accessed: 2022-08-12.  Luis Villa. 2021. Setting new expectations for open source maintainers. https:\/\/opensource.com\/article\/21\/8\/open-source-maintainers. Accessed: 2022-08-12."},{"key":"e_1_3_2_1_81_1","unstructured":"Priya Wadhwa and Appu Goundan. 2021. Distroless Builds are now SLSA 2. https:\/\/security.googleblog.com\/2021\/09\/distroless-builds-are-now-slsa-2.html. Accessed: 2022-04-30.  Priya Wadhwa and Appu Goundan. 2021. Distroless Builds are now SLSA 2. https:\/\/security.googleblog.com\/2021\/09\/distroless-builds-are-now-slsa-2.html. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_82_1","volume-title":"USENIX security symposium","author":"Whitten Alma","unstructured":"Alma Whitten and J Doug Tygar . 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 .. In USENIX security symposium , Vol. 348 . USENIX Association , Washington, DC , 169--184. Alma Whitten and J Doug Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.. In USENIX security symposium, Vol. 348. USENIX Association, Washington, DC, 169--184."},{"key":"e_1_3_2_1_83_1","unstructured":"Debian Wiki. 2005. SecureApt. http:\/\/wiki.debian.org\/SecureApt. Accessed: 2022-04--30.  Debian Wiki. 2005. SecureApt. http:\/\/wiki.debian.org\/SecureApt. Accessed: 2022-04--30."},{"key":"e_1_3_2_1_84_1","unstructured":"Tieg Zaharia. 2020. The state of package signing across package managers. https:\/\/blog.tidelift.com\/the-state-of-package-signing-across-package-managers. Accessed: 2022-04-30.  Tieg Zaharia. 2020. The state of package signing across package managers. https:\/\/blog.tidelift.com\/the-state-of-package-signing-across-package-managers. Accessed: 2022-04-30."},{"key":"e_1_3_2_1_85_1","volume-title":"Postmortem for Malicious Packages Published on July 12th","author":"Zhu Henry","year":"2018","unstructured":"Henry Zhu . 2018. Postmortem for Malicious Packages Published on July 12th , 2018 . https:\/\/eslint.org\/blog\/2018\/07\/postmortem-for-malicious-package-publishes. Accessed : 2022-04-30. Henry Zhu. 2018. Postmortem for Malicious Packages Published on July 12th, 2018. https:\/\/eslint.org\/blog\/2018\/07\/postmortem-for-malicious-package-publishes. Accessed: 2022-04-30."}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560596","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3560596","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:50:58Z","timestamp":1750182658000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560596"}},"subtitle":["Software Signing for Everybody"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":82,"alternative-id":["10.1145\/3548606.3560596","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3560596","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}