Sigstore automates the code signing process by issuing ephemeral, short-lived certificates bound to an OpenID Connect (OIDC) identity, eliminating the need for developers to manage, rotate, or protect long-lived private keys. This keyless workflow cryptographically links a software artifact to the email address or workload identity of its creator, providing a verifiable chain of custody.
Glossary
Sigstore

What is Sigstore?
Sigstore is an open-source project that enables automated, free digital signing and verification of software artifacts using short-lived certificates issued via OpenID Connect identities.
The project's core components—Fulcio (certificate authority), Rekor (transparency log), and Cosign (signing tool)—work in concert to make signing transparent and auditable. By recording every signature event in an append-only, immutable transparency log, Sigstore enables automated policy enforcement and allows security teams to detect unauthorized or compromised signing events in the software supply chain.
Key Features of Sigstore
Sigstore provides a free, automated mechanism for signing and verifying software artifacts using short-lived certificates tied to OpenID Connect identities, eliminating the burden of long-term key management.
Keyless Signing via OIDC
Eliminates the need for developers to manage, rotate, or protect long-lived private keys. Sigstore binds a short-lived ephemeral keypair to an OpenID Connect (OIDC) identity, such as a Google or GitHub account.
- The signing certificate is generated on the fly and valid for only 10 minutes.
- This removes the risk of leaked or stolen static signing keys.
- Trust is rooted in the identity provider's authentication, not a manually distributed public key.
Transparency Log (Rekor)
An append-only, cryptographically verifiable public ledger that records every signing event. This makes the issuance of certificates auditable and detectable if a signing identity is compromised.
- Merkle Tree construction ensures tamper-evident storage.
- Monitors can watch the log for unauthorized signatures tied to a specific identity.
- Provides a chain of custody for software provenance, enabling 'trust but verify' workflows.
Automated Verification with Cosign
The cosign CLI tool integrates directly into CI/CD pipelines to sign and verify container images, blobs, and other artifacts. Verification checks the signature against the Transparency Log and the OIDC identity.
cosign verifyensures an artifact was signed by a trusted identity within its validity window.- Supports policy-based admission control via integrations with Kubernetes admission controllers.
- Enforces Binary Authorization by blocking unsigned or improperly attested images from production.
Fulcio Certificate Authority
A root Certificate Authority (CA) that issues short-lived code-signing certificates upon successful OIDC authentication. Fulcio does not require prior registration.
- The CA verifies the user's identity via an OIDC token, then issues an X.509 certificate.
- The certificate embeds the OIDC identity, enabling verification without a centralized key server.
- This decouples the trust anchor from a specific organization's key management infrastructure.
Integration with SLSA Framework
Sigstore serves as a critical technical building block for achieving higher Supply-chain Levels for Software Artifacts (SLSA) compliance. It provides the non-falsifiable attestations required for provenance.
- Generates verifiable in-toto attestations for build steps.
- Enables reproducible builds by signing the resulting artifact hash.
- Supports the generation of a cryptographically verifiable SBOM signature, linking a software inventory to a trusted builder identity.
Frequently Asked Questions
Clear, technical answers to the most common questions about Sigstore's keyless signing architecture, its role in software supply chain security, and how it integrates with modern DevSecOps pipelines.
Sigstore is an open-source project that enables free, automated digital signing and verification of software artifacts using short-lived certificates issued via OpenID Connect (OIDC) identities. It eliminates the need for developers to manage long-lived private keys manually.
Core Workflow
- Authentication: A developer or CI/CD pipeline authenticates to an OIDC provider (e.g., Google, GitHub, Microsoft) to prove their identity.
- Certificate Issuance: The Sigstore Fulcio certificate authority issues a short-lived X.509 code-signing certificate (valid for ~10 minutes) binding the verified OIDC identity to a public key.
- Signing: The artifact is signed using the private key generated ephemerally for that session.
- Transparency Logging: The signing event is recorded immutably in the Rekor transparency log, providing an auditable, append-only record.
- Verification: Consumers use the
cosigntool to verify the signature against the transparency log, ensuring the artifact was signed by a trusted identity and the certificate was valid at the time of signing.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and tools that form the Sigstore ecosystem for automated, keyless software signing and verification.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us