Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
Every package on npm is signed by the registry, but the actual posture of install-time signature verification across real-world tooling is patchier than the headline suggests. This is where npm audit signatures and downstream verifiers stand in 2026.
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
Weekly insights on software supply chain security, delivered to your inbox.