signing
Safeguard articles tagged "signing" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Sigstore Policy Controller for K8s in Production
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
Git Hooks as Supply Chain Controls in 2026
Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
Cosign v2.6: New Bundle Format and Trusted Root
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
How to Test Your Signing Pipeline End to End
Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.
NuGet Signed Packages Verification
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
How to Rotate Build Signing Keys Safely
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
RubyGems.org and Sigstore: Progress Check
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Azure Container Registry Trust Model
What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and where the trust chain breaks in practice.
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
PowerShell Module Supply Chain Security
PowerShell modules are a supply chain people forget exists, and the trust model is weaker than NuGet's. Here is why that matters.
Build Artifact Integrity Verification: From Source to Deployment
If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.