signing
Safeguard articles tagged "signing" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Azure Key Vault Managed HSM for Artifact Signing: Pattern Library
Managed HSM gives you FIPS 140-3 Level 3 key custody in Azure. We map the patterns for using it as the root of trust for code signing, container signing, and SBOM attestation.
Provenance, Attestation, and Signing: A Practical Glossary
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
Azure Artifacts Sigstore Integration Walkthrough 2026
A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.
Post-Quantum Signing: An Artifact Migration Plan
A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.
The Future of Software Signing Is Keyless
Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.
Cosign Keyless Signing Workflows in 2026
How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.
Cosign v3.0 Migration Guide for Production Teams
Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.
Multi-Arch Image Builds and Attestation Pitfalls
Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.
NuGet Package Signing Status in 2026
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
Azure ACR Image Signing with Notation Policy
Azure Container Registry plus Notation gives you signing, trust policy, and AKS enforcement without bolting on Sigstore. Here is how the pieces actually fit together.
Fargate/ECS Container Supply Chain Pitfalls
The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.
AWS ECR Signing Policies with Notation
ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that survive scale and auditors.