Sigstore Blog - Sigstore Blog

May 12, 2025

Written by Cody Soyland (GitHub)

sigstore-go 1.0 is now available

We love Go within the Sigstore community, and it’s been our language of choice since we got started. Cosign, Rekor, Fulcio, Policy Controller, and Timestamp Authority are all written in Go, and we’re lucky to have such a vibrant community of Go developers. Cosign was the de-facto Sigstore “client” from the beginning. Originally designed as a container image signing tool, it has become much more, introducing signing with ephemeral keys (with Fulcio), blob signing, attestation support, multi-cloud KMS support, and many more features.

Tags: sigstore , go , clients

May 2, 2025

Written by Zach Steindler (GitHub)

Verifying Sigstore Bundles as an End User

There’s a mnemonic for quickly determining if a bicycle is safe to ride: “ABC” for checking the air in the tires, ensuring the brakes are functional, and checking the chain. It doesn’t definitively answer the question “is this bike safe?” but it does give you a quick starting point for your assessment. Let’s say you download some software and it comes with a Sigstore bundle. Similarly, there isn’t a quick, definitive answer to “is this software safe to use?

Tags: sigstore , cosign , softwaresupplychain , security

Apr 17, 2025

Written by Hayden Blauzvern, Google

Rekor v2 - Cheaper to run, simpler to maintain

We are very excited to announce the alpha release of Rekor v2! Rekor v2 is a redesigned and modernized Rekor, Sigstore’s signature transparency log, transitioning its backend to a modern, tile-backed transparency log implementation to simplify maintenance and lower operational costs. Major changes include: A new storage backend, replacing Trillian with Trillian-Tessera. Tile-based logs are cheaper to run and easier to deploy, maintain and scale. To learn more about the benefits of tile-based logs, read this blog post A redesigned and simplified API, using the learnings from operating public-good Rekor over the past 2 years Stronger security guarantees that the log remains append-only by integrating witnessing directly into Rekor (To be implemented) For the initial release, we are providing a binary and container for developers.

Tags: sigstore , rekor , transparency

Apr 7, 2025

Written by Ramon Petgrave (@ramonpetgrave64)

KMS Plugins for Sigstore

Cosign and private deployments of Fulcio and Rekor can use a KMS-managed key for signing artifacts. We currently have built-in support for AWS, Azure, Google Cloud Platform, and Hashicorp Vault KMSs. This has been a challenge for customers that require alternative or custom KMS solutions. To enable such use-cases, we have implemented a new plugin system for alternate KMS providers. Organizations can independently and privately develop & distribute their plugins without needing downstream updates to libraries to support additional KMS providers as build-time dependencies.

Tags: sigstore , kms , plugin

Apr 4, 2025

Written by Mihai Maruseac, Google Open Source Security Team

Taming the Wild West of ML: Practical Model Signing with Sigstore

Over the past year, in collaboration with OpenSSF, NVIDIA and HiddenLayer, we have worked on bringing Sigstore signatures to the world of machine learning, making ML models tamper resistant via transparent signatures. Today we are pleased to announce the launch of version 1.0 of the model-signing project, built on top of sigstore-python. After installing via pip install model-signing, users can use the CLI to sign and verify models, as per the following examples:

Tags: sigstore , artificial intelligence , model signing , machine learning

Newer

Older