artifact-signing
Safeguard articles tagged "artifact-signing" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Hardening a Java build pipeline in GitHub Actions
23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.
Hardening CI/CD Pipelines End to End
A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.
What is Artifact Signing
Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.
Best artifact and code signing tools
A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.
What is Binary Provenance
Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.
What is a Software Attestation
A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.