Safeguard
Tag

signing

Safeguard articles tagged "signing" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Container Security

Sigstore Policy Controller for K8s in Production

How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.

Jan 30, 20267 min read
DevSecOps

Git Hooks as Supply Chain Controls in 2026

Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.

Jan 22, 20266 min read
Container Security

Cosign for Container Signing: A Production Setup

A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.

Jan 22, 20267 min read
Tools

Cosign v2.6: New Bundle Format and Trusted Root

Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.

Oct 21, 20255 min read
DevSecOps

How to Test Your Signing Pipeline End to End

Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.

Apr 10, 20256 min read
Open Source Security

NuGet Signed Packages Verification

NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.

Nov 22, 20245 min read
DevSecOps

How to Rotate Build Signing Keys Safely

A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.

Oct 8, 20246 min read
Open Source Security

RubyGems.org and Sigstore: Progress Check

An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.

Sep 20, 20247 min read
Container Security

Azure Container Registry Trust Model

What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and where the trust chain breaks in practice.

Jul 28, 20247 min read
Container Security

AWS ECR Image Signing in Production

Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.

Jul 22, 20247 min read
Open Source Security

PowerShell Module Supply Chain Security

PowerShell modules are a supply chain people forget exists, and the trust model is weaker than NuGet's. Here is why that matters.

Apr 8, 20247 min read
DevSecOps

Build Artifact Integrity Verification: From Source to Deployment

If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.

Aug 28, 20226 min read
signing (Page 2) — Safeguard Blog