What Is Sigstore? Easy Signing for Software Artifacts
Sigstore is an open-source toolchain that makes signing and verifying software artifacts simple, without forcing developers to manage long-lived private keys.
Signing software has always been valuable and always been painful: you had to generate keys, guard them, and never lose them. Sigstore removes that friction. It lets you sign artifacts using a short-lived certificate tied to an identity you already have, and records every signature in a public, tamper-evident log. The result is signing that teams will actually use.
The pieces of Sigstore
- Cosign: the CLI that signs and verifies artifacts and container images.
- Fulcio: a certificate authority that issues short-lived signing certificates.
- Rekor: a public transparency log recording every signature.
How keyless signing works
Instead of a long-lived private key, you authenticate with an OIDC identity. Fulcio issues a certificate valid for only a few minutes, you sign with it, and the signature plus certificate go into Rekor. There is no durable key to steal or rotate.
The transparency log
Rekor is an append-only public log. Anyone can verify that a signature exists and was made at a certain time, and the log's tamper-evidence makes it hard to quietly backdate or remove an entry. It turns signing into something auditable.
Why it caught on
Sigstore made artifact signing free, keyless, and integrated with the identities developers already have. That lowered the barrier enough that signing container images and producing attestations became a normal part of CI rather than a specialist chore.
Sigstore in the pipeline
In CI, the pipeline authenticates with its workload identity, gets a short-lived certificate, and signs the artifact, all without a stored key. Running this on an isolated, ephemeral builder ensures the signing identity is not exposed to other jobs.
Key takeaways
- Sigstore makes artifact signing easy with no long-lived private keys.
- Cosign signs, Fulcio issues short-lived certs, Rekor logs every signature.
- Keyless, identity-based signing removes the key-management burden.