sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
Image Signing with Cosign and Sigstore
A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.
Artifact Tampering and Integrity: Trusting What You Actually Ship
Artifact tampering alters a build output after it leaves source control, so what you deploy differs from what you reviewed. Here is how it works and how to verify integrity.
What Is Sigstore?
Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.
What Is an Artifact Attestation?
An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.
Signing and verifying container images with Sigstore/cosign
How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.
Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
npm package signature verification: the 2026 rollout state
Every package on npm is signed by the registry, but the actual posture of install-time signature verification across real-world tooling is patchier than the headline suggests. This is where npm audit signatures and downstream verifiers stand in 2026.
npm provenance attestations walkthrough for 2026
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.
Model Weights as Supply Chain Artifacts: Signing and Provenance
A 4 GB safetensors file deserves the same signing, hashing, and provenance discipline as a container image. How to actually do it with Sigstore, OCI registries, and AIBOMs.
Container image signing and verification
Scanning tells you what's inside a container image; signing proves where it came from. Here's how signature verification closes the gap that CVE scanners like Trivy leave open.
Container Image Supply Chain Security Deep Dive 2026
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
Sigstore Policy Controller v0.15: TUF Delegation and Admission Posture
Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.