Zach Steindler

Principal Engineer at GitHub

Ann Arbor, Michigan, United States
email-iconphone-icongithub-logolinkedin-logotwitter-logostackoverflow-logofacebook-logo
Join Prog.AI to see contacts
email-iconphone-icongithub-logolinkedin-logotwitter-logostackoverflow-logofacebook-logo
Join Prog.AI to see contacts

Summary

🤩
Rockstar
🎓
Top School
Zach Steindler is a Principal Engineer with 15 years of experience focused on software supply chain security, currently shaping security strategy and tooling at GitHub from Ann Arbor. He chairs the OpenSSF Technical Advisory Council and co-chairs the Securing Software Repositories Working Group, bridging open-source best practices and enterprise adoption. A hands-on maintainer of sigstore projects like cosign and sigstore-go, he has driven practical features such as protobuf bundle support and timestamp authority integration for stronger signing and verification. At GitHub he enhanced the gh CLI’s attestation capabilities, adding offline verification and trusted-root management to harden developer workflows. His background spans startup engineering and security architecture roles, reflecting a rare mix of product-minded engineering and ecosystem stewardship.
code15 years of coding experience
job11 years of employment as a software developer
bookBSE Computer Engineering, BSE Computer Engineering at University of Michigan
github-logo-circle

Github Skills (17)

command-line-interface10
digital-signature10
security10
go10
command-line10
protobuffer10
protobuf10
cli10
testing9
github-ci9
apidoc9
api9
githubaction-workflow9
tuf8
cicd8

Programming languages (13)

SmartyC++CSSCMakefileGoHTMLTypeScript

Github contributions (5)

github-logo-circle
sigstore/cosign

Mar 2021 - Mar 2025

Code signing and transparency for containers and binaries
Role in this project:
userBack-end Developer & Security Engineer
Contributions:33 reviews, 11 PRs, 58 comments in 4 years
Contributions summary:Zach primarily focused on adding support for protobuf bundles and enhancing the verification process for the `cosign` project. They implemented new bundle formats for verifying signed blobs and attestations. Additionally, the user improved the integration with timestamp authorities to include digital signatures from time-stamping authorities and also addressed issues related to signing and verifying bundles.
containerscryptographycosignsigningsign
cli/cli

Dec 2023 - Oct 2024

GitHub’s official command line tool
Role in this project:
userBack-end Developer & Security Engineer
Contributions:41 reviews, 12 PRs, 16 pushes in 10 months
Contributions summary:Zach primarily focused on enhancing the security and functionality of the `gh cli` tool, specifically within the `attestation` subcommand. They added support for various predicate types and implemented features to filter and manage attestations. Their work included modifying the `attestation verify` command to function in offline mode. Furthermore, they contributed to the security of the tool by adding unit tests, updating dependencies, and refactoring code based on linter feedback. They also introduced a new subcommand for managing trusted root certificates.
golangcommand-line-toolgocommand-linecli
Find and Hire Top DevelopersWe’ve analyzed the programming source code of over 60 million software developers on GitHub and scored them by 50,000 skills. Sign-up on Prog,AI to search for software developers.
Request Free Trial
Zach Steindler - Principal Engineer at GitHub