sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
OpenSSF Model Signing v1.0: Sigstore for ML
OpenSSF launched Model Signing v1.0 in April 2025 with Sigstore integration. NVIDIA NGC adopted it the same month. We explain what it signs, how to verify, and where the gaps are.
Fulcio Certificate Lifecycle: Enterprise View
Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.
Signing Python Wheels in Production
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
RubyGems.org and Sigstore: Progress Check
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Cosign Verification Policies in Production
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
How to Sign Container Images With Cosign: A Complete Guide
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
SLSA Level 3 in Practice: What It Takes
SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.
Sigstore Rekor Transparency Log Operations
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.
What is a Software Attestation
A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.
How to Set Up Sigstore in Your Build Pipeline
Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.
How to Enforce Cosign Signatures in Kubernetes Admission
A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.
Container Image Signing with Cosign: A Practical Deep Dive
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.