sigstore
Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.
78 articles
Sigstore Reaches GA: Free Software Signing for Everyone
Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.
Kubernetes Supply Chain Policy Engines: Enforcing What Gets Deployed
Scanning for vulnerabilities means nothing if you cannot enforce the results. Supply chain policy engines in Kubernetes turn security findings into hard deployment gates.
Software Provenance Tracking: From Source to Production
Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, provenance tracking moved from academic concept to practical necessity.
OCI Artifact Signing Standards: Making Sense of the Landscape
Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.
A First-Principles Guide to Artifact Signing in 2022
Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.
Sigstore and Cosign: Software Signing for the Rest of Us
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.