sigstore

About sigstore

Sigstore is an open source project focused on securing software supply chains by enabling developers to sign, verify, and protect software artifacts. It provides a set of tools (including Cosign, Fulcio, and Rekor) and a framework to automate key management and provenance verification, ensuring that open source components come from trusted sources. The project collaborates with major tech organizations and communities to standardize code signing and artifact integrity across distributions and ecosystems. Sigstore aims to improve transparency and trust in software used by developers, maintainers, and enterprises globally, with a focus on the open source ecosystem.