Sigstore

Overview

Sigstore is the keyless code signing infrastructure for the software supply chain. An OpenSSF graduated project under the Linux Foundation (graduated March 2024), it provides three core components: Cosign (sign and verify container images and artifacts), Fulcio (certificate authority using OIDC identity), and Rekor (transparency log for immutable audit trails).

The breakthrough: signing without key management. Developers authenticate via existing identity (GitHub, Google OIDC), receive short-lived certificates, and sign artifacts — no GPG keys, no key rotation, no key compromise risk. This makes signing frictionless enough for universal adoption.

The flagship Cosign client sits at ~6,000 GitHub stars as of June 2026, with v3.1.1 shipped June 9, 2026 — active weekly development.

---

What's New (as of June 2026)

• Rekor v2 GA (October 2025) — the transparency log was rebuilt on a tile-based backend (Tessera, the modernized Trillian). Cheaper to operate, fully CDN-cacheable reads, and sharded by year (e.g. log2026-1.rekor.sigstore.dev). It dropped the search index and most entry types, keeping only hashedrekord and dsse. Client support landed in Cosign v2.6.0+ and the Go, Python, and Java SDKs; the 2026 log shard is rolling out now.
• Cosign v3 — current major line (v3.1.1, June 2026), defaulting to the standardized Sigstore bundle format and verifying npm provenance, GitHub Artifact Attestations, and Homebrew provenance with one tool.
• Registry provenance is GA everywhere that matters — npm provenance and PyPI attestations are both generally available and signed via Sigstore's public-good instance; Homebrew and GitHub Artifact Attestations use the same primitives.

---

Pricing

Free, open source (Apache 2.0). The public-good instance (Fulcio + Rekor) is community-operated under OpenSSF with no paid tier. Commercial offerings exist around — not from — the project: Chainguard, founded by Sigstore's co-creators, sells supply-chain products built on the same primitives, and GitHub Artifact Attestations is a hosted Sigstore implementation bundled into GitHub plans.

---

AI and Agent Angle

Sigstore is becoming the trust layer for AI artifacts, not just packages. The OpenSSF Model Signing (OMS) specification — from the OpenSSF AI/ML Working Group — uses the Sigstore bundle format and supports keyless Sigstore signing for model weights, tokenizers, configs, and datasets as a single verifiable unit. NVIDIA has signed every model in its NGC catalog with OMS since March 2025. For agent-produced artifacts the same machinery applies: a CI identity (or workload identity) signs what the agent built, and Rekor provides the audit trail. There is no agent-specific Sigstore product yet — the positioning is that existing keyless signing covers machine identities.

---

Cautions

• Centralized identity dependence — keyless signing routes trust through Google, Microsoft, and GitHub as OIDC providers. Critics argue IdP compromise is the real attack vector (it was in SolarWinds) and gets too little focus, and that the architecture nudges users toward hyperscaler-hosted identity rather than self-hosting.
• "Trusted bit" skepticism — provenance proves where an artifact was built, not that it is safe; skeptics question what end users can actually do with the signal.
• Complexity — Fulcio + Rekor + TUF root + bundle formats is a lot of moving parts; self-hosting remains nontrivial even after Rekor v2's simplification.
• Churn — Rekor v2 removed entry types and the search index; Cosign jumped a major version. Pipelines pinned to old behaviors need migration attention.

---

Competitive Position

Strengths: De facto standard — no credible competitor for open-source artifact signing. OpenSSF graduated. Every major registry (npm, PyPI, Homebrew) and GitHub itself builds on it. Keyless design removes friction. Enables SLSA. Now extending into AI model signing via OMS.

Weaknesses: Trust concentrates in a handful of OIDC providers. Self-hosted deployments remain complex. Signing proves origin, not safety.

---

Bottom Line

Sigstore won. It is the signing layer of the open-source supply chain, the registries standardized on it, and the OMS spec is carrying it into AI model and agent-artifact territory. Rekor v2 fixed the biggest operational complaint (cost and maintenance of the log).

Recommended for: Any team publishing packages or container images; CI/CD pipelines wanting SLSA provenance; AI teams signing model artifacts.

Not recommended for: Air-gapped or hyperscaler-averse environments that can't accept OIDC-rooted trust without running the full stack themselves.

Outlook: Adoption keeps compounding — provenance is becoming a registry default rather than an opt-in. The open question is whether identity-provider centralization becomes a real incident or stays a theoretical objection.

---

Research by Ry Walker Research • methodology