Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

78 articles

Software Supply Chain Security

Provenance, Attestation, and Signing: A Practical Glossary

Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.

Apr 2, 20268 min read
Software Supply Chain Security

Sigstore, Cosign, and keyless container image signing

How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.

Mar 30, 20267 min read
DevSecOps

Azure Artifacts Sigstore Integration Walkthrough 2026

A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.

Mar 26, 20265 min read
Best Practices

How to Sign Container Images with Cosign in Production

Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.

Mar 10, 20267 min read
Industry Trends

Software Signing and Code Integrity in 2026: The Practical State of Play

Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.

Mar 8, 20267 min read
DevSecOps

What is Artifact Signing

Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.

Mar 7, 20266 min read
Software Supply Chain Security

What is In-toto Attestation

In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.

Mar 6, 20267 min read
Software Supply Chain Security

What is Sigstore

Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.

Mar 6, 20267 min read
Best Practices

Post-Quantum Signing: An Artifact Migration Plan

A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.

Mar 5, 20265 min read
Industry Analysis

The Future of Software Signing Is Keyless

Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.

Mar 5, 20268 min read
Software Supply Chain Security

What is Software Provenance

Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.

Mar 5, 20267 min read
Software Supply Chain Security

What is an Attestation (Software Security)

Software attestations are signed, verifiable proofs of how code was built and secured — now a legal requirement for US federal software vendors since March 2024.

Mar 5, 20267 min read
sigstore (Page 3) — Safeguard Blog