FOSSA Logo
S
Security
Tools
Cryptography
Supply Chain Security

Sigstore

An open-source project providing a standard way to sign, verify, and protect software artifacts without managing long-term cryptographic keys.

What is Sigstore?

Sigstore is a free, open-source set of tools and services designed to improve software supply chain security by making code signing accessible, transparent, and secure. Created as a Linux Foundation project, Sigstore aims to be the "Let's Encrypt" for code signing, offering developers a straightforward way to sign and verify software artifacts without the complexities of traditional key management.

The project addresses critical challenges in software supply chain security by enabling developers to cryptographically sign code, making it possible to verify software origins and ensure integrity throughout the deployment pipeline.

Core Components of Sigstore

Cosign

A tool for container and artifact signing, verification, and storage in an OCI registry. Cosign makes it easy to sign and verify container images and other artifacts, with support for hardware and KMS signing, as well as keyless signing.

Fulcio

A free certificate authority that issues short-lived certificates based on OpenID Connect (OIDC) identities. Instead of requiring developers to manage their own keys, Fulcio binds a developer's identity from an OIDC provider (like GitHub, Google, or Microsoft) to a short-lived signing certificate.

Rekor

A tamper-resistant, immutable transparency log that records metadata about software artifacts and their signatures. By storing these records in a public, append-only log, Rekor provides a verifiable record of when and by whom an artifact was signed.

How Sigstore Works

Traditional Code Signing

Traditional code signing requires developers to:

  1. Generate and securely store private keys
  2. Get certificates from Certificate Authorities (often at substantial cost)
  3. Manage key rotation and security
  4. Handle certificate revocation if keys are compromised

Sigstore Keyless Signing

Sigstore's keyless signing workflow simplifies this process:

  1. Developer authenticates with an OpenID Connect provider (e.g., GitHub, Google)
  2. Fulcio issues a short-lived certificate (valid for minutes) tied to their identity
  3. Developer signs their artifact with this ephemeral certificate
  4. Signature and certificate are stored in the Rekor transparency log
  5. The certificate expires quickly, eliminating long-term key management concerns

Verification

To verify a signed artifact:

  1. Check the digital signature using the certificate's public key
  2. Verify the certificate was issued by Fulcio
  3. Confirm the signature exists in the Rekor transparency log
  4. Validate the identity claims in the certificate match expected values

Benefits of Sigstore

  • Eliminates Key Management: No need to protect long-lived private keys
  • Free and Open: Available to all developers without cost barriers
  • Transparency: Creates a public audit trail of signing events
  • Identity-based: Ties signatures to real developer identities
  • Seamless Integration: Works with existing CI/CD pipelines
  • Standardization: Provides consistent tooling across different environments
  • Ecosystem Support: Growing adoption across major open source projects

Industry Adoption

Sigstore has gained significant adoption across the software industry:

  • Kubernetes: Using Sigstore for release signing
  • Python Package Index (PyPI): Implementing Sigstore for package verification
  • npm: Exploring Sigstore for package signing
  • Maven Central: Planning integration with Sigstore
  • Cloud Native Computing Foundation (CNCF): Supporting Sigstore as a sandbox project
  • Major cloud providers: Building support for Sigstore verification

Use Cases

Container Image Signing

cosign sign --key cosign.key myregistry.io/myimage:latest
cosign verify --key cosign.pub myregistry.io/myimage:latest

Keyless Signing

cosign sign --identity-token=$(gcloud auth print-identity-token) myregistry.io/myimage:latest

Generating SBOMs and Attestations

cosign attest --predicate sbom.json myregistry.io/myimage:latest

Getting Started with Sigstore

  1. Install Cosign from the Sigstore project
  2. Configure authentication with your identity provider
  3. Start signing artifacts in your CI/CD pipeline
  4. Implement verification in your deployment process
  5. Monitor the Rekor log for your project's artifacts

Related Terms

Code Signing

The process of digitally signing executables and software packages to verify the author's identity and ensure the code hasn't been altered or corrupted since signing.

Provenance

Metadata that describes the origin, creation process, and supply chain journey of a software artifact, enabling verification of its authenticity and integrity.

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.