package-signing
Safeguard articles tagged "package-signing" — guides, analysis, and best practices for software supply chain and application security.
4 articles
Anatomy of a self-propagating npm worm
In September 2025, one phished maintainer account led to malicious chalk and debug releases hitting over 2B weekly downloads within two hours.
NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap
NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.
NuGet Package Signing: Enterprise Rollout
Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.
Linux Distribution Package Signing: How It Actually Works
Package signing is the backbone of Linux software distribution security. Most teams trust it blindly without understanding the verification chain they depend on.