code-signing
Safeguard articles tagged "code-signing" — guides, analysis, and best practices for software supply chain and application security.
25 articles
The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed
NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.
Installing and Verifying Java on macOS Securely
A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.
Lessons from the 3CX Attack: The First Supply Chain Attack Caused by Another
3CX shipped a trojanized version of its own softphone through official updates in 2023 — because an employee installed compromised trading software. Here is the cascade, and its lessons.
What Is Sigstore?
Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.
Software Signing and Code Integrity in 2026: The Practical State of Play
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
What is Artifact Signing
Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.
What is Code Signing
Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.
What is Sigstore
Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.
Rekor transparency log
What is Rekor? It's the public, immutable transparency log at the heart of Sigstore that records software signing events for tamper-evident verification.
Hardware Security Module (HSM)
What is an HSM? Learn how hardware security modules store signing keys, how HSM vs KMS differs, and why FIPS 140-2 HSMs protect code-signing keys.
What is a Trust Store
Trust stores decide which signatures your systems believe. Here's how they work, why they matter for supply chain security, and how to audit them.
Best artifact and code signing tools
A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.