Sigstore

Sigstore is an open-source project hosted by the Cloud Native Computing Foundation (CNCF) that aims to improve software supply chain security by making it easier to sign, verify, and audit software artifacts. Its approach centers on cryptographic signing with short-lived credentials and a public, tamper-evident record of signatures.

The project comprises three main components: Fulcio, Cosign, and Rekor. Fulcio is a certificate authority that

How Sigstore works in practice: a developer authenticates with an identity provider, Fulcio issues a ephemeral

Adoption and scope: while commonly used to sign container images, Sigstore’s tooling supports signing of various