Safeguard.sh
← Concepts & Glossary
Signing & Supply Chain Trust

Sigstore

An open-source stack for signing, verifying, and transparency-logging artifacts.

What is Sigstore?

Sigstore is an open-source project under the Open Source Security Foundation (OpenSSF) that gives every software producer a free, automated way to sign their artifacts — containers, binaries, attestations, SBOMs — and every consumer a way to verify those signatures against a public transparency log. It removes the single biggest historical obstacle to ubiquitous signing: long-lived private keys.

In practice, Sigstore is three cooperating services plus a client: Fulcio issues short-lived certificates tied to an OIDC identity, Rekor appends every signing event to a tamper-evident transparency log, and Cosign is the command-line client that producers and verifiers actually run.

How it works

The keyless flow is the canonical Sigstore experience:

  1. OIDC identity. The producer — a CI job, a developer, a release bot — authenticates to an OIDC provider (GitHub Actions, Google, Azure, etc.). The resulting token is the durable identity.
  2. Fulcio certificate. Sigstore's Fulcio certificate authority exchanges the OIDC token for a short-lived (10-minute) X.509 certificate bound to that identity. The private key lives only in memory, only for the duration of the signing operation.
  3. Sign and log. Cosign signs the artifact hash with the ephemeral key, then publishes the signature plus certificate to Rekor — the append-only transparency log. The resulting Rekor entry is the public, tamper-evident record.
  4. Verify. Consumers verify the signature against the artifact hash, check that the Fulcio certificate chains to the Sigstore root, and confirm the Rekor inclusion proof. No private key ever persists, and no verification step depends on a secret.

Why it matters

For thirty years, code signing was the default security control nobody used — because managing private keys across thousands of CI pipelines was operationally impossible. Sigstore replaces key management with identity management, and CI systems already know how to do identity. The result: signing is now free, automatic, and verifiable, which is the precondition for treating unsigned artifacts as suspicious by default.

Every major standard coming out of SLSA, CRA, and the US executive order on software supply chain security assumes the existence of something like Sigstore. In 2026, it is essentially the default answer.

What value it adds

  • Zero private-key sprawl

    No long-lived signing keys to rotate, revoke, or lose — identity is the key, and it lives in your existing OIDC provider.

  • Public, tamper-evident audit trail

    Rekor gives you an independently verifiable log of every signing event, which regulators and customers can inspect without trusting your internal records.

  • Native to CI

    GitHub Actions, GitLab, Buildkite, and most modern CI runners already speak OIDC — Sigstore signing is a one-line addition, not a new subsystem.

  • Standards alignment

    SLSA levels 2–3, the EU Cyber Resilience Act, and US M-22-18 attestation requirements all assume signed, logged artifacts — Sigstore is the default way to produce them.

  • Ecosystem momentum

    Kubernetes, Node.js, PyPI, npm, and most major base-image providers now publish Sigstore signatures — which means verification is a meaningful policy, not a theoretical one.

How Safeguard uses it

Safeguard reads Sigstore signatures and Rekor entries as part of its component provenance graph — so the same engine that runs reachability also knows whether the artifact you are about to ship was signed by a recognised identity. That signal feeds policy gates, and it feeds zero-day discovery when an unsigned build appears where one never should.

Zero-Day Discovery →Griffin AI →

Turn Sigstore signals into policy.

Connect your registries. See which artifacts are signed, which aren't, and which identity signed them.

Book a walkthroughBrowse all concepts