Security Briefing — Sigstore Launches for Open Source Signing
The Linux Foundation, Google, Red Hat, and Purdue researchers launched Sigstore to provide free code signing, certificate transparency, and artifact attestation services for open source maintainers.
Executive briefing: The Linux Foundation announced Sigstore on , introducing a community-operated service that issues short-lived certificates, records signatures in a transparency log, and simplifies supply chain provenance for open source releases.
Key updates
- Fulcio certificate authority. Developers authenticate with OpenID Connect to obtain ephemeral certificates tied to their identity provider.
- Rekor transparency log. Artifact signatures and attestations are immutably recorded for public auditing and incident response.
- Client tooling. Cosign and related libraries integrate signing and verification into CI pipelines with minimal configuration.
- Governance roadmap. The project committed to open governance, multi-region infrastructure, and compatibility with Kubernetes, Helm, and container registries.
Implementation guidance
- Adopt Cosign in build pipelines to sign container images, binaries, and SBOMs alongside release automation.
- Record verification policies in admission controllers or deployment scripts to require Rekor entries before promotion.
- Align artifact retention and key management policies with Sigstore's short-lived certificate model.