CodersSecret

What is Sigstore?

Sigstore is an open-source project for signing, verifying, and protecting software. It makes software supply chain security accessible by providing keyless signing — no GPG keys to manage.

SIGSTORE: KEYLESS IMAGE SIGNINGBuild ImageFulcioOIDC certCosignsign imageRekortransparency logVerifiedNo keys to manage. Identity-based signing via OIDC.

Sigstore Components

  • Cosign: Sign and verify container images. Keyless signing via OIDC (GitHub, Google identity).
  • Rekor: Immutable transparency log of all signing events.
  • Fulcio: Issues short-lived signing certificates tied to OIDC identity.

Learn More

See Module 11: Supply Chain Security.

Related Terms

cosign slsa sbom supply-chain-security

Learn This in Our Free Courses

Cloud Native Security Engineering