Safeguard
Tag

signing

Safeguard articles tagged "signing" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Cloud Security

Azure Key Vault Managed HSM for Artifact Signing: Pattern Library

Managed HSM gives you FIPS 140-3 Level 3 key custody in Azure. We map the patterns for using it as the root of trust for code signing, container signing, and SBOM attestation.

Apr 4, 20267 min read
Software Supply Chain Security

Provenance, Attestation, and Signing: A Practical Glossary

Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.

Apr 2, 20268 min read
DevSecOps

Azure Artifacts Sigstore Integration Walkthrough 2026

A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.

Mar 26, 20265 min read
Best Practices

Post-Quantum Signing: An Artifact Migration Plan

A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.

Mar 5, 20265 min read
Industry Analysis

The Future of Software Signing Is Keyless

Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.

Mar 5, 20268 min read
DevSecOps

Cosign Keyless Signing Workflows in 2026

How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.

Feb 26, 20266 min read
Tools

Cosign v3.0 Migration Guide for Production Teams

Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.

Feb 25, 20265 min read
Container Security

Multi-Arch Image Builds and Attestation Pitfalls

Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.

Feb 22, 20268 min read
Open Source Security

NuGet Package Signing Status in 2026

NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.

Feb 17, 20267 min read
Cloud Security

Azure ACR Image Signing with Notation Policy

Azure Container Registry plus Notation gives you signing, trust policy, and AKS enforcement without bolting on Sigstore. Here is how the pieces actually fit together.

Feb 10, 20267 min read
Container Security

Fargate/ECS Container Supply Chain Pitfalls

The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.

Feb 6, 20267 min read
Cloud Security

AWS ECR Signing Policies with Notation

ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that survive scale and auditors.

Feb 5, 20267 min read
signing — Safeguard Blog