Skip to content

Client statistics

Jump to bottom
Jussi Kukkonen edited this page Nov 27, 2025 · 22 revisions

sigstore client statistics

These statistics are collected to get better visibility to rekor v2 support in Clients.

Client versions known to support rekor v2 and related components (SigningConfig from TUF, TSA timestamps) well:

  • sigstore-python >= 4.0.0
  • sigstore-java >= 2.0.0
  • cosign >= 2.6.0 (only for some code paths?)
  • sigstore-go >= 1.1

If you want another client included here, file an issue in in terraform-modules -- or make a PR to Clients dashboard.

Caveats

These graphs are based on parsing the user-agent header from requests to timestamp.json in the TUF repository. The assumption here is that individual clients (whether signing or verifying) make that request when starting up.

The graphs are useful but there are significant caveats:

  • Majority of signing is done by clients that might not access the TUF repository (chainguard-catalog-syncer, apko-builder, terraform-provider-cosign): there are ~20M new entries in the Rekor logs every week
  • Likewise any verifying-at-scale is likely invisible to us as it can be done 99% offline by caching the TUF repository responses: e.g. PyPI is not going to access any Sigstore infrastructure when verifying an individual PyPI attestation
  • Client user agent bugs are common (in particular cosign identifies as "Go-http-client" or "sigstore-go" depending on version)

Reports

Week 47

Week 46

Week 45

  • Nothing has meaningfully changed since since last week
  • sigstore-java 2.0 is still a release candidate so traffic is minimal

Week 44

  • Number of requests total in past week was 15.7M so the floor estimate for "rekor v2 compatible share" is now 26% (real number is likely larger as sigstore-go 1.1.0-1.1.2 identify as Go-http-client)
  • sigstore-go 1.1.3 still sees large growth (+1M this week) as cosign users upgrade. 24% of all golang traffic is now sigstore-go 1.1.3
  • sigstore-python upgrade is now 98% complete

Week 43

  • ~19% of all traffic seems to be rekor v2 compatible (real number is likely higher, see sigstore-go note below)
  • sigstore-go 1.1.3 uptake is now really taking off: it looks like ~18% of all golang based traffic is now sigstore-go 1.1.3 (note that versions 1.0.0-1.1.2 identify as "Go-http-client")
  • sigstore-python userbase is now overwhelmingly on 4.x releases (the sudden change supports the idea that usage comes largely from single or few sources). sigstore-python overall usage has returned from last weeks unexplained dip

Week 42

  • sigstore-go 1.1.3 uptake looks pretty good (it has not made a dent in generic go-http-client yet but sigstore-go overall seems to be on an upwards trend)
  • sigstore-python has an interesting trend where the overall traffic is much lower now than it was 2 weeks ago
  • Just for comparison, rekor.sigstore.dev created 18M entries in the last week: this is a reminder that these numbers should not be used for the absolute numbers but to see trends.

Week 41

  • Fresh cosign release should now identify as sigstore-go 1.1.3: This is now visible in the sigstore-go version stats (1.1.3 is 20% of all sigstore-go traffic). The generic "Go-http-client" has not decreased measurably: it could still be from cosign, just a pinned version
  • sigstore-python 3.6.5 traffic (that is still 85% of all sigstore-python traffic) is likely largely from PyPI and the gh-action-pypi-publish GitHub action

Week 40

Known issues:

  • cosign does not have a unique user-agent: Current release use go-http-client, next release will use sigstore-go
  • sigstore-js does not have a unique user-agent: currently it uses make-fetch-happen
  • "GitHub" is actually "GitHub CLI": should change the regex to allow whitespace (I mistakenly thought sigstore-go sometimes uses a space instead of slash to separate name and version but this does not seem to be the case)

Initial takeaways

  • Go ecosystem is by far largest as expected. sigstore-go 1.1.3 is the only known good Go client and that is still below 1% of all Go clients (release was only a week ago, not yet used by released cosign)
  • sigstore-python users typically upgrade quickly but 4.0.0 (released 2 weeks ago) is still below 10%: Possibly there are large library users that have not upgraded yet
  • Pre-2.0 sigstore-java releases do not use a unique user-agent but the release candidate shows up as 2.0.0

Clone this wiki locally