sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
Provenance, Attestation, and Signing: A Practical Glossary
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
Sigstore, Cosign, and keyless container image signing
How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.
Azure Artifacts Sigstore Integration Walkthrough 2026
A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.
How to Sign Container Images with Cosign in Production
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
Software Signing and Code Integrity in 2026: The Practical State of Play
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
What is Artifact Signing
Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.
What is In-toto Attestation
In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.
What is Sigstore
Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.
Post-Quantum Signing: An Artifact Migration Plan
A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.
The Future of Software Signing Is Keyless
Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.
What is Software Provenance
Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.
What is an Attestation (Software Security)
Software attestations are signed, verifiable proofs of how code was built and secured — now a legal requirement for US federal software vendors since March 2024.