Key takeaways
- Keyless code signing infrastructure for the software supply chain. Three components: Cosign (sign/verify artifacts), Fulcio (certificate authority), Rekor (transparency log)
- Linux Foundation project. Adopted by npm, PyPI, Go ecosystem, Kubernetes. The de facto standard for open-source artifact signing
- Eliminates key management — uses OIDC identity (GitHub, Google) for short-lived certificates. Makes signing frictionless
- Enables SLSA compliance. Integrates with GitHub Actions, GitLab CI, Jenkins. Foundation of modern supply chain security
FAQ
What is Sigstore?
A Linux Foundation project providing keyless code signing for software artifacts. Uses OIDC identity for short-lived certificates, eliminating key management. The signing infrastructure behind npm, PyPI, Go, and Kubernetes.
Overview
Sigstore is the keyless code signing infrastructure for the software supply chain. A Linux Foundation project, it provides three core components: Cosign (sign and verify container images and artifacts), Fulcio (certificate authority using OIDC identity), and Rekor (transparency log for immutable audit trails).
The breakthrough: signing without key management. Developers authenticate via existing identity (GitHub, Google OIDC), receive short-lived certificates, and sign artifacts — no GPG keys, no key rotation, no key compromise risk. This makes signing frictionless enough for universal adoption.
Adopted by npm, PyPI, Go, and Kubernetes. Enables SLSA compliance and integrates with all major CI/CD systems.
Competitive Position
Strengths: De facto standard. Linux Foundation backing. Massive adoption. Keyless design removes friction. Enables SLSA.
Weaknesses: Infrastructure complexity for self-hosted deployments. Learning curve for teams new to supply chain security.
Research by Ry Walker Research