Introduction

Sigstore is a new standard for signing, verifying and protecting software. It can be used to make sure your software is what it claims to be. Learn more at https://www.sigstore.dev/

Sigstore is made up of a combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale. This section shows the open source subprojects that make up Sigstore as well as non-code projects that support the Sigstore community such as roadmap and specification.

Cosign
Gitsign
Fulcio
Rekor

In some cases Sigstore services are run as public instance, for example, the public instance of the Rekor transparency log used to verify signatures. This section allows you to discover public instances run by the community and or organizations who host Sigstore services.

Sigstore Public Service

Use of Sigstore is sometimes transparent to users as its signing and verification functionality is seamlessly integrated with version control or build software. This section highlights open source and closed source tools, platforms and applications that integrate Sigstore functionality such that users of those tools may benefit from software signing and verification.

Artifact Hub
GoReleaser
Harbor
The Update Framework (TUF)
Trivy
in-toto
Helm plugin for Sigstore
JReleaser
Kyverno
Kubewarden
Tekton Chains
Flux

This section highlights open source and closed source software that use Sigstore for signing artifacts. That means that users of these tools are able to verify the integrity of artifacts using Sigstore.

Cert Manager
Cilium
Flux (Signed With)
Istio
Jenkins X
Karpenter
Keda
Knative
Kubernetes
Kubewarden (Signed With)
Kyverno (Signed With)
Ockam
CPython
Tekton
urllib3

This section showcases organizations that currently use Sigstore as part of their software supply chain security toolbox. That means the organizations are at a minimum signing internal artifacts with Sigstore. Each organization links to a specific case study to highlight how they are using Sigstore.

Autodesk
Edgeless Systems
Rancher Government Solutions
Verizon