Hugohttps://blog.sigstore.dev/en-usWed, 01 Apr 2026 00:00:00 UTChttps://blog.sigstore.dev/sigstore-c/Wed, 01 Apr 2026 00:00:00 UTChttps://blog.sigstore.dev/sigstore-c/These days, there’s many interoperable Sigstore client libraries in various programming languages. But there are still a few places where you might struggle to run Sigstore, like on a Intel 8086 processor (first released in 1978), say running a version of DOS. Until today. Introducing sigstore-c, which focuses on portability over features (and correctness!) You can build sigstore-c on any system with a C89 compiler, including modern Linux environments with gcc or the aforementioned DOS environment with something like Open Watcom v2.https://blog.sigstore.dev/rekor-v2-ga/Fri, 10 Oct 2025 00:00:00 UTChttps://blog.sigstore.dev/rekor-v2-ga/We are very excited to announce the General Availability of Rekor v2! Rekor v2 is a redesigned and modernized Rekor, Sigstore’s signature transparency log, transitioning its backend to a tile-backed transparency log implementation to simplify maintenance and lower operational costs. Learn more about Rekor v2 in our previous blog post announcing Alpha. We have added support for Rekor v2 upload and verification to Cosign v2.6.0, along with the Go, Python, and Java clients.https://blog.sigstore.dev/cosign-3-0-available/Wed, 08 Oct 2025 00:00:00 UTChttps://blog.sigstore.dev/cosign-3-0-available/The past few years have been incredible in the Sigstore ecosystem, seeing Sigstore-signed in-toto attestations be adopted by Homebrew (May 2024), PyPI (November 2024), Maven Central (January 2025), model signing in NVIDIA’s NGC (July 2025), and several others. These deployments make use of great Sigstore features, like the ability to verify content offline, being able to fetch new verification key material with The Update Framework, and the ability to use a tile-based transparency log that’s much easier to operate and scale.https://blog.sigstore.dev/rekor-bigquery-dataset/Fri, 15 Aug 2025 00:00:00 UTChttps://blog.sigstore.dev/rekor-bigquery-dataset/We’re pleased to announce the creation of a new BigQuery public dataset, rekor. The rekor dataset is an easily-queryable mirror of the public good instance of Sigstore’s transparency log, Rekor. As a reminder, signing events are recorded in Rekor, Sigstore’s append-only transparency log. Software consumers rely on cryptographic proofs of log inclusion to verify that software artifacts are recorded to the log. Software producers can verify metadata in the log, verifying that the recorded signature metadata was produced as expected when their identities or keys were used to sign artifacts, using a Rekor monitor.https://blog.sigstore.dev/model-validation-operator-v1.0.1/Mon, 23 Jun 2025 00:00:00 UTChttps://blog.sigstore.dev/model-validation-operator-v1.0.1/As machine learning becomes deeply embedded in critical infrastructure, the question of trust in deployed models is increasingly critical. How can we be sure that an AI model running in a Kubernetes cluster is exactly what it claims to be? The OpenSSF AI/ML working group believes the answer can be found in signing AI models. A long-standing practice in traditional software distribution is to leverage cryptographic signatures to help end-users verify provenance: that software is authentic, has not been tampered with, and was authored by the expected creator.https://blog.sigstore.dev/post-quantum-2025/Fri, 06 Jun 2025 00:00:00 UTChttps://blog.sigstore.dev/post-quantum-2025/In the coming years, systems will transition to post-quantum cryptographic algorithms (PQCA). There is some inherent tension in these transitions as we learn things through adoption, but making decisions too soon can saddle you with tech debt. The quick summary is that the Sigstore project wants to enable people to sign content with PQCA keys as soon as possible, and adopt PQCA in the Sigstore services (like Fulcio, Rekor, and a timestamp authority) when reliable and vetted PQCA is available in the Go ecosystem.https://blog.sigstore.dev/sigstore-go-1-0-now-available/Mon, 12 May 2025 00:00:00 UTChttps://blog.sigstore.dev/sigstore-go-1-0-now-available/We love Go within the Sigstore community, and it’s been our language of choice since we got started. Cosign, Rekor, Fulcio, Policy Controller, and Timestamp Authority are all written in Go, and we’re lucky to have such a vibrant community of Go developers. Cosign was the de-facto Sigstore “client” from the beginning. Originally designed as a container image signing tool, it has become much more, introducing signing with ephemeral keys (with Fulcio), blob signing, attestation support, multi-cloud KMS support, and many more features.https://blog.sigstore.dev/cosign-verify-end-user/Fri, 02 May 2025 00:00:00 UTChttps://blog.sigstore.dev/cosign-verify-end-user/There’s a mnemonic for quickly determining if a bicycle is safe to ride: “ABC” for checking the air in the tires, ensuring the brakes are functional, and checking the chain. It doesn’t definitively answer the question “is this bike safe?” but it does give you a quick starting point for your assessment. Let’s say you download some software and it comes with a Sigstore bundle. Similarly, there isn’t a quick, definitive answer to “is this software safe to use?https://blog.sigstore.dev/rekor-v2-alpha/Thu, 17 Apr 2025 00:00:00 UTChttps://blog.sigstore.dev/rekor-v2-alpha/We are very excited to announce the alpha release of Rekor v2! Rekor v2 is a redesigned and modernized Rekor, Sigstore’s signature transparency log, transitioning its backend to a modern, tile-backed transparency log implementation to simplify maintenance and lower operational costs. Major changes include: A new storage backend, replacing Trillian with Trillian-Tessera. Tile-based logs are cheaper to run and easier to deploy, maintain and scale. To learn more about the benefits of tile-based logs, read this blog post A redesigned and simplified API, using the learnings from operating public-good Rekor over the past 2 years Stronger security guarantees that the log remains append-only by integrating witnessing directly into Rekor (To be implemented) For the initial release, we are providing a binary and container for developers.https://blog.sigstore.dev/kms-plugins/Mon, 07 Apr 2025 00:00:00 UTChttps://blog.sigstore.dev/kms-plugins/Cosign and private deployments of Fulcio and Rekor can use a KMS-managed key for signing artifacts. We currently have built-in support for AWS, Azure, Google Cloud Platform, and Hashicorp Vault KMSs. This has been a challenge for customers that require alternative or custom KMS solutions. To enable such use-cases, we have implemented a new plugin system for alternate KMS providers. Organizations can independently and privately develop & distribute their plugins without needing downstream updates to libraries to support additional KMS providers as build-time dependencies.https://blog.sigstore.dev/model-transparency-v1.0/Fri, 04 Apr 2025 00:00:00 UTChttps://blog.sigstore.dev/model-transparency-v1.0/Over the past year, in collaboration with OpenSSF, NVIDIA and HiddenLayer, we have worked on bringing Sigstore signatures to the world of machine learning, making ML models tamper resistant via transparent signatures. Today we are pleased to announce the launch of version 1.0 of the model-signing project, built on top of sigstore-python. After installing via pip install model-signing, users can use the CLI to sign and verify models, as per the following examples:https://blog.sigstore.dev/terraform-modules/Wed, 05 Mar 2025 00:00:00 UTChttps://blog.sigstore.dev/terraform-modules/New Terraform Modules Repository The Terraform modules for running a private deployment of Sigstore have been moved to a dedicated repository, terraform-modules. We currently support Google Cloud Platform as a cloud provider. We welcome any community contributions for other cloud providers. Deprecation for Terraform Modules under Scaffolding Effectively immediately, the Terraform modules in the scaffolding repository will no longer be updated. If you are relying on Terraform for your private deployment, please update references for scaffolding to the new terraform-modules repository.https://blog.sigstore.dev/using-rekor-monitor/Thu, 21 Nov 2024 00:00:00 UTChttps://blog.sigstore.dev/using-rekor-monitor/Overview As part of the tool suite within Sigstore that focuses on providing transparency in the software supply chain, Rekor, Sigstore’s signature transparency log, and Fulcio’s certificate transparency log provides discoverability and auditability for signed artifact metadata and code-signing certificates. These immutable read-only logs help secure the software supply chain by making it easier to show what actions have been performed by a compromised identity. A variety of different improvements have recently been integrated into rekor-monitor to make it easier to use.https://blog.sigstore.dev/pypi-attestations-ga/Thu, 14 Nov 2024 00:00:00 UTChttps://blog.sigstore.dev/pypi-attestations-ga/Check out the PyPI blog and Trail of Bits blog for more user-facing and technical details, respectively! Over the past year, the Google Open Source Security Team and Trail of Bits have worked together to implement PEP 740, a Python packaging standard that allows users to upload Sigstore-based attestations to the Python Package Index. Today we’re pleased to announce that attestation support on PyPI is generally available, meaning that project maintainers can submit attestations for both PyPI and downstream users to verify.https://blog.sigstore.dev/fulcio-ci-provider/Thu, 05 Sep 2024 00:00:00 UTChttps://blog.sigstore.dev/fulcio-ci-provider/TL;DR Fulcio, the Sigstore certificate authority, has introduced a new feature that simplifies the onboarding process for identity providers, mainly for continuous integration. This enhancement eliminates the need for complex, provider-specific logic implementations. Traditionally, integrating a new identity provider for CI involved significant development effort, which required understanding the codebase and cutting a new release. However, with this update, onboarding is reduced to configuring a YAML file which houses essential provider information for building certificate extensions based on ID token claims.