Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

78 articles

AI Security

OpenSSF Model Signing v1.0: Sigstore for ML

OpenSSF launched Model Signing v1.0 in April 2025 with Sigstore integration. NVIDIA NGC adopted it the same month. We explain what it signs, how to verify, and where the gaps are.

May 8, 20257 min read
SBOM & Compliance

Fulcio Certificate Lifecycle: Enterprise View

Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.

Dec 22, 20247 min read
DevSecOps

Signing Python Wheels in Production

PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.

Nov 12, 20246 min read
Open Source Security

RubyGems.org and Sigstore: Progress Check

An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.

Sep 20, 20247 min read
SBOM & Compliance

Cosign Verification Policies in Production

Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.

Jul 30, 20246 min read
Container Security

How to Sign Container Images With Cosign: A Complete Guide

A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.

Jun 10, 20245 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
SBOM & Compliance

Sigstore Rekor Transparency Log Operations

Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.

Apr 18, 20247 min read
Concepts

What is a Software Attestation

A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.

Mar 10, 20246 min read
DevSecOps

How to Set Up Sigstore in Your Build Pipeline

Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.

Feb 28, 20244 min read
Container Security

How to Enforce Cosign Signatures in Kubernetes Admission

A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.

Feb 15, 20245 min read
Container Security

Container Image Signing with Cosign: A Practical Deep Dive

Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.

Nov 8, 20226 min read
sigstore (Page 6) — Safeguard Blog