Sign
Easy authentication and smart cryptography work in the background. Just push your code, Sigstore can handle the rest.
Learn moreHow can you use it?
We’ve combined a few technologies that can be used independently, or as one single process. It’s a way for software developers to sign off on what they build, without needing to jump through hoops or know tricky security protocols. And it’s a way for anyone using those releases to verify the signatures against a tamper-proof log.
Verify
Transparency logs store unique identification like who created it and where it was built, so you know it hasn’t been changed when you verify.
Learn more
Monitor
Data stored in the logs is readily auditable, a foundation for future monitors and integrations to build into your security workflow.
Learn moreWhat's behind the scenes?
Cosign
For signing and verification of artifacts and containers, with storage in an Open Container Initiative (OCI) registry, making signatures and in-toto/SLSA attestations invisible infrastructure.
View the repoRekor
Append-only, auditable transparency log service, Rekor records signed metadata to a ledger that can be queried, but can’t be tampered with.
View the repoPolicy Controller
Policy Controller is used to enforce policy on a cluster on verifiable supply-chain metadata from Cosign.
View the repoOpenID Connect
An identity layer that checks if you're who you say you are. It lets clients request and receive information about authenticated sessions and users.
Learn moreFulcio
Code-signing certificate authority, issuing short-lived certificates to an authenticated identity and publishing them to a certificate transparency log.
View the repoTrust root
The foundation for trust underpinning Sigstore utilizes TUF. This repository describes this process, our keyholders, and how the root keys are protected.
Sigstore's trust rootThe Sigstore ecosystem
First, tell Sigstore to do the signing for you. Using Fulcio, Sigstore requests a certificate from our Certificate Authority (CA). This checks you are who you say you are using OpenID Connect, which looks at an identity, such as an email address, to prove you’re the author. Fulcio grants a short-lived certificate, associating a provided public key with your identity.
You don’t have to manage keys yourself, and Sigstore never obtains your private key. The public key that Cosign creates gets bound to your certificate.
Your certificate then comes back to a Sigstore client, which signs an artifact. The artifact hash, signature, and certificate are uploaded to a Rekor transparency log, for public auditability of the signing event.
Frequently asked questions
Looking for something detailed around the API?
Check out our developer docs
What can I sign and store?
Sigstore tooling supports signing any artifacts, such as files or containers. Rekor supports many file formats, such as in-toto attestations, JARs, RPMs, or Alpine images. Sigstore is also actively being integrated with package repositories to ease the adoption of signing for their communities.
What's the current status?
How easy is it to use?
How do I learn more about the project?
How do I get help if I have a question?
How can I get involved with the project?