sigstore.dev and Rekor evolution

If you have been following the Sigstore project over the last year, you know we’ve been rolling out version 2 of Rekor, Sigstore’s transparency log. The intent was to enable signing with Rekor v2 by default, but there’s been a change of plans: the sigstore.dev public good instance will continue using Rekor v1 as the default log for the foreseeable future. Why are we staying with Rekor v1? While Rekor v2 provides greater infrastructure resiliency, it introduces breaking changes in client behavior.

Introduction sigstore-c

These days, there’s many interoperable Sigstore client libraries in various programming languages. But there are still a few places where you might struggle to run Sigstore, like on a Intel 8086 processor (first released in 1978), say running a version of DOS. Until today. Introducing sigstore-c, which focuses on portability over features (and correctness!) You can build sigstore-c on any system with a C89 compiler, including modern Linux environments with gcc or the aforementioned DOS environment with something like Open Watcom v2.

Rekor v2 GA - Cheaper to run, simpler to maintain

We are very excited to announce the General Availability of Rekor v2! Rekor v2 is a redesigned and modernized Rekor, Sigstore’s signature transparency log, transitioning its backend to a tile-backed transparency log implementation to simplify maintenance and lower operational costs. Learn more about Rekor v2 in our previous blog post announcing Alpha. We have added support for Rekor v2 upload and verification to Cosign v2.6.0, along with the Go, Python, and Java clients.

Cosign v3 is now available

The past few years have been incredible in the Sigstore ecosystem, seeing Sigstore-signed in-toto attestations be adopted by Homebrew (May 2024), PyPI (November 2024), Maven Central (January 2025), model signing in NVIDIA’s NGC (July 2025), and several others. These deployments make use of great Sigstore features, like the ability to verify content offline, being able to fetch new verification key material with The Update Framework, and the ability to use a tile-based transparency log that’s much easier to operate and scale.

Announcing the Sigstore Transparency Log Research Dataset

We’re pleased to announce the creation of a new BigQuery public dataset, rekor. The rekor dataset is an easily-queryable mirror of the public good instance of Sigstore’s transparency log, Rekor. As a reminder, signing events are recorded in Rekor, Sigstore’s append-only transparency log. Software consumers rely on cryptographic proofs of log inclusion to verify that software artifacts are recorded to the log. Software producers can verify metadata in the log, verifying that the recorded signature metadata was produced as expected when their identities or keys were used to sign artifacts, using a Rekor monitor.