Zach Steindler is a Principal Engineer with 15 years of experience focused on software supply chain security, currently shaping security strategy and tooling at GitHub from Ann Arbor. He chairs the OpenSSF Technical Advisory Council and co-chairs the Securing Software Repositories Working Group, bridging open-source best practices and enterprise adoption. A hands-on maintainer of sigstore projects like cosign and sigstore-go, he has driven practical features such as protobuf bundle support and timestamp authority integration for stronger signing and verification. At GitHub he enhanced the gh CLI’s attestation capabilities, adding offline verification and trusted-root management to harden developer workflows. His background spans startup engineering and security architecture roles, reflecting a rare mix of product-minded engineering and ecosystem stewardship.
15 years of coding experience
11 years of employment as a software developer
BSE Computer Engineering, BSE Computer Engineering at University of Michigan
Code signing and transparency for containers and binaries
Role in this project:
Back-end Developer & Security Engineer
Contributions:33 reviews, 11 PRs, 58 comments in 4 years
Contributions summary:Zach primarily focused on adding support for protobuf bundles and enhancing the verification process for the `cosign` project. They implemented new bundle formats for verifying signed blobs and attestations. Additionally, the user improved the integration with timestamp authorities to include digital signatures from time-stamping authorities and also addressed issues related to signing and verifying bundles.
Contributions:41 reviews, 12 PRs, 16 pushes in 10 months
Contributions summary:Zach primarily focused on enhancing the security and functionality of the `gh cli` tool, specifically within the `attestation` subcommand. They added support for various predicate types and implemented features to filter and manage attestations. Their work included modifying the `attestation verify` command to function in offline mode. Furthermore, they contributed to the security of the tool by adding unit tests, updating dependencies, and refactoring code based on linter feedback. They also introduced a new subcommand for managing trusted root certificates.
golangcommand-line-toolgocommand-linecli
Find and Hire Top DevelopersWe’ve analyzed the programming source code of over 60 million software developers on GitHub and scored them by 50,000 skills. Sign-up on Prog,AI to search for software developers.