Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.
Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.
KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what mattered for platform teams.
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
Weekly insights on software supply chain security, delivered to your inbox.