Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

78 articles

Container Security

Cosign container signing

What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.

Mar 4, 20267 min read
Software Supply Chain Security

Rekor transparency log

What is Rekor? It's the public, immutable transparency log at the heart of Sigstore that records software signing events for tamper-evident verification.

Mar 4, 20267 min read
Supply Chain

Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing

By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.

Mar 3, 20266 min read
DevSecOps

Cosign Keyless Signing Workflows in 2026

How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.

Feb 26, 20266 min read
Tools

Cosign v3.0 Migration Guide for Production Teams

Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.

Feb 25, 20265 min read
Container Security

Signing Container Images: Cosign, Notary, and Why It Matters

Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.

Feb 18, 20266 min read
Industry Analysis

KubeCon NA 2025: Supply Chain Security Themes

KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what mattered for platform teams.

Feb 16, 20268 min read
Open Source Security

Maven Central Sigstore Migration Status

Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.

Feb 12, 20267 min read
Engineering

npm Provenance Statements: What They Prove and What They Don't

npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.

Feb 11, 20266 min read
Software Supply Chain Security

Sigstore Rekor Transparency Log Deep Dive 2026

How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.

Feb 4, 20266 min read
Container Security

OCI + CNCF Image Supply Chain: 2026 Snapshot

Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.

Feb 3, 20267 min read
Container Security

What is Image Signing

Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.

Feb 1, 20267 min read
sigstore (Page 4) — Safeguard Blog