sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
Cosign container signing
What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.
Rekor transparency log
What is Rekor? It's the public, immutable transparency log at the heart of Sigstore that records software signing events for tamper-evident verification.
Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing
By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.
Cosign Keyless Signing Workflows in 2026
How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.
Cosign v3.0 Migration Guide for Production Teams
Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.
Signing Container Images: Cosign, Notary, and Why It Matters
Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.
KubeCon NA 2025: Supply Chain Security Themes
KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what mattered for platform teams.
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
npm Provenance Statements: What They Prove and What They Don't
npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.
Sigstore Rekor Transparency Log Deep Dive 2026
How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.
OCI + CNCF Image Supply Chain: 2026 Snapshot
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
What is Image Signing
Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.