sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
Sigstore Policy Controller for K8s in Production
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
npm Provenance Statements in Practice (2026)
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
OpenShift Pipelines with Sigstore: A Production Integration Guide
OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.
Implementing keyless container image signing with Cosign ...
A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.
Best artifact and code signing tools
A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.
npm Provenance: Adoption Tracking in Late 2025
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Best git commit signing and repository integrity tools
A buyer's guide to git commit signing tools -- GPG, SSH signing, Sigstore, gittuf, and more -- compared honestly for real repository integrity verification.
Cosign v2.6: New Bundle Format and Trusted Root
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
What is Binary Provenance
Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.
Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore
Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.
Sigstore Cosign Keyless Signing Explained for Teams
Keyless signing swaps long-lived private keys for ten-minute certificates tied to an OIDC identity. How Fulcio and Rekor work, and how to roll it out without breaking deploys.