Sigstore
Sigstore is a project that provides tools and infrastructure for signing, verifying, and protecting software artifacts. It makes cryptographic signing accessible to all developers, not just security experts.
What is Sigstore?
Sigstore provides:
- Cosign - Tool for signing and verifying container images
- Fulcio - Certificate authority for code signing
- Rekor - Transparency log for signed artifacts
- Keyless signing - Sign without managing keys
Why Sigstore?
Traditional signing requires:
- Managing private keys securely
- Protecting keys from theft
- Distributing public keys
- Complex key management
Sigstore simplifies this with:
- Keyless signing - Use OIDC for authentication
- Public infrastructure - No need to run your own CA
- Transparency logs - Public record of all signatures
- Easy verification - Simple commands to verify signatures
How Sigstore Works
sequenceDiagram
participant Dev as Developer
participant Cosign as Cosign
participant Fulcio as Fulcio
participant Rekor as Rekor
participant Registry as Image Registry
Dev->>Cosign: Sign image
Cosign->>Fulcio: Request certificate
Fulcio->>Fulcio: Verify OIDC identity
Fulcio-->>Cosign: Issue certificate
Cosign->>Cosign: Sign image
Cosign->>Rekor: Store signature
Cosign->>Registry: Push signed image
Rekor-->>Rekor: Log signature
Key Concepts
Signing
Cryptographically sign artifacts to prove:
- Authenticity - Artifact came from the expected source
- Integrity - Artifact hasn’t been tampered with
- Non-repudiation - Signer can’t deny creating the signature
Verification
Verify signatures to ensure:
- Trust - Artifact is from a trusted source
- Safety - Artifact hasn’t been modified
- Compliance - Meets security requirements
Topics
- Cosign - Signing and verification tool
- Fulcio & Rekor - Infrastructure components
See Also
- Supply Chain Security - Overview of supply chain security
- Container Scanning - Vulnerability scanning