The Sigstore Project

The Sigstore Project

Standard for signing, verifying and protecting software

Initiated by chainguard

Transforms key management problem into identity problem

Keyless Signature Flow

cosign creates a temporary key pair and requests a certificate from fulcio .

The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.

cosign updates the transparency log rekor

After signing, the key pair as well as the certificate are deleted .


Signature verification

Verification still requires trust

Cosign verifies if a valid signature is present

Tell cosign what metadata to accept (who has authenticated where)


Kyverno has support builtin


Bootstrapping the tooling is important

Check the supply chain of required tools