sigstorecosign

sigstorecosign is a command-line tool and library in the Sigstore project that enables signing and verification of software artifacts, especially container images in OCI registries. It aims to improve software supply chain security by providing cryptographic signatures and a public provenance trail that can be independently verified.

Signing uses Fulcio, a certificate authority that issues short-lived signing certificates tied to the signer’s identity

Verification checks the cryptographic signature, validates the Fulcio certificate, and cross-checks the Rekor entry. Cosign supports

Cosign integrates with CI/CD workflows and cloud-native tooling, enabling signing and verification as part of build

sigstorecosign is maintained as part of the Sigstore project, with governance and community contributions from users