Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

78 articles

Container Security

Sigstore Policy Controller for K8s in Production

How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.

Jan 30, 20267 min read
Container Security

Cosign for Container Signing: A Production Setup

A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.

Jan 22, 20267 min read
Open Source Security

npm Provenance Statements in Practice (2026)

A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.

Jan 22, 20266 min read
Cloud Security

OpenShift Pipelines with Sigstore: A Production Integration Guide

OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.

Jan 21, 20267 min read
Container Security

Implementing keyless container image signing with Cosign ...

A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.

Jan 9, 20267 min read
Buyer's Guides

Best artifact and code signing tools

A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.

Nov 14, 20258 min read
Open Source Security

npm Provenance: Adoption Tracking in Late 2025

Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.

Nov 12, 20254 min read
Buyer's Guides

Best git commit signing and repository integrity tools

A buyer's guide to git commit signing tools -- GPG, SSH signing, Sigstore, gittuf, and more -- compared honestly for real repository integrity verification.

Nov 7, 20258 min read
Tools

Cosign v2.6: New Bundle Format and Trusted Root

Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.

Oct 21, 20255 min read
Concepts

What is Binary Provenance

Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.

Oct 9, 20256 min read
Build Security

Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore

Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.

Sep 25, 20258 min read
Engineering

Sigstore Cosign Keyless Signing Explained for Teams

Keyless signing swaps long-lived private keys for ten-minute certificates tied to an OIDC identity. How Fulcio and Rekor work, and how to roll it out without breaking deploys.

Jul 24, 20256 min read
sigstore (Page 5) — Safeguard Blog