Safeguard
Tag

code-signing

Safeguard articles tagged "code-signing" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Best Practices

Installing and Verifying Java on macOS Securely

A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.

Jul 8, 20266 min read
Threat Research

Lessons from the 3CX Attack: The First Supply Chain Attack Caused by Another

3CX shipped a trojanized version of its own softphone through official updates in 2023 — because an employee installed compromised trading software. Here is the cascade, and its lessons.

Jul 5, 20266 min read
Concepts

What Is Sigstore?

Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.

Jul 5, 20266 min read
Industry Trends

Software Signing and Code Integrity in 2026: The Practical State of Play

Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.

Mar 8, 20267 min read
DevSecOps

What is Artifact Signing

Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.

Mar 7, 20266 min read
DevSecOps

What is Code Signing

Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.

Mar 6, 20266 min read
Software Supply Chain Security

What is Sigstore

Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.

Mar 6, 20267 min read
Software Supply Chain Security

Rekor transparency log

What is Rekor? It's the public, immutable transparency log at the heart of Sigstore that records software signing events for tamper-evident verification.

Mar 4, 20267 min read
Cryptography

Hardware Security Module (HSM)

What is an HSM? Learn how hardware security modules store signing keys, how HSM vs KMS differs, and why FIPS 140-2 HSMs protect code-signing keys.

Feb 27, 20267 min read
Best Practices

What is a Trust Store

Trust stores decide which signatures your systems believe. Here's how they work, why they matter for supply chain security, and how to audit them.

Jan 27, 20266 min read
Buyer's Guides

Best artifact and code signing tools

A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.

Nov 14, 20258 min read
code-signing — Safeguard Blog