Sigstore for software signing: getting started guide

Sigstore is an open-source project (developed by Google, Red Hat, and Purdue University, hosted by the Linux Foundation) that provides free, easy-to-use infrastructure for cryptographic signing and verification of software artefacts. It was created to solve the software supply chain security problem: existing signing tools (GPG) were too complex for most developers, leading to widespread adoption of unsigned software that could be tampered with in transit. Sigstore's keyless, OIDC-based signing model eliminates key management complexity while providing cryptographically strong supply chain integrity guarantees backed by a public transparency log.

Keyless signing in Sigstore means you do not generate, manage, or store a long-lived private key for signing. Instead, Cosign generates an ephemeral key pair at signing time, obtains a short-lived signing certificate from Fulcio (tied to your OIDC identity — GitHub Actions token, Google account, etc.), signs the artefact, and records the event in Rekor's transparency log. The ephemeral keys are discarded after signing. Verification uses the Rekor log and the OIDC identity claim to verify authenticity without needing to know the signer's public key in advance. This eliminates the most common failure mode of traditional signing: compromised or lost private keys.

Cosign signs container images by generating a signature over the image's content digest (SHA256 hash) and pushing that signature as a separate OCI artefact to the same container registry, tagged with a predictable naming convention. This co-locates the signature with the image — no separate signature distribution infrastructure required. For keyless signing, Cosign also records the signing event (certificate and image digest) in the Rekor transparency log. Verifiers use cosign verify with the expected OIDC identity constraints to check both the signature against the image digest and the signing event against the Rekor log.

Rekor is Sigstore's tamper-evident transparency log for signing events. Similar to Certificate Transparency logs for TLS certificates, Rekor is an append-only, cryptographically verifiable log that records all software signing events submitted to the public Sigstore instance. This provides: detection of unauthorised signing (if someone signs your software with a stolen identity, it appears in the public log); a verifiable audit trail of all signing events; and the ability to verify a signature without pre-distributing the signer's public key (look it up in Rekor). Organisations can run private Rekor instances for sensitive internal signing workflows.

Sigstore integrates with Kubernetes via admission webhook controllers that intercept pod creation requests and verify that container images have valid Sigstore signatures before allowing deployment. The Sigstore Policy Controller (the official Sigstore Kubernetes integration) defines ClusterImagePolicy resources specifying which images require signatures and from which OIDC identities. Kyverno provides an alternative with Cosign signature verification built into Kyverno policy rules. Both can be run in audit mode first (logging violations without blocking) then switched to enforcement mode once signing coverage is complete across your image portfolio.

Yes. Cosign can sign any file or OCI artefact, including: container images (primary use case); SBOMs (Software Bills of Materials) attached as signed attestations; SLSA provenance records; binary files; Helm charts (via OCI); NPM packages (via provenance attestation, supported by npmjs.com since 2023); Python packages (via sigstore-python library); and git commits (via Gitsign). The attestation mechanism allows attaching structured, signed claims to container images — including vulnerability scan results, test results, and compliance evidence — creating a verifiable chain of custody from source code to deployed image.

Traditional GPG-based signing requires: generating a long-lived key pair; securely storing the private key (risk of theft or loss); distributing the public key to all verifiers (key distribution problem); manually managing key rotation and expiry; and developer discipline to actually sign artefacts. Sigstore eliminates all of these: ephemeral keys eliminate key management risk; OIDC identity ties signatures to existing identity providers (no separate key distribution); the Rekor log enables verification without pre-distributing public keys; and CI/CD integration (one pipeline step) makes signing automatic. The trade-off is a dependency on Sigstore's public infrastructure (Rekor, Fulcio) or the cost of running private instances.

Yes. Sigstore is production-ready and is already used at significant scale. PyPI (Python Package Index) uses Sigstore for package provenance for all Python packages. npm supports Sigstore-based provenance for published packages. The Kubernetes project itself uses Cosign to sign all release artefacts. Major container registries (GitHub Container Registry, Google Artifact Registry) natively support Cosign signatures. The public Sigstore infrastructure (Rekor, Fulcio) has SLA-backed availability. For enterprises with data sovereignty requirements, private Sigstore deployments (private Rekor + private Fulcio connected to corporate OIDC) are available and used in production at large financial services and government organisations.