Introduction

Sigstore is a new standard for signing, verifying and protecting software. It can be used to make sure your software is what it claims to be. Learn more at https://www.sigstore.dev/

Sigstore is made up of a combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale. This section shows the open source subprojects that make up Sigstore as well as non-code projects that support the Sigstore community such as roadmap and specification.

Cosign
Fulcio
Gitsign
Rekor

In some cases Sigstore services are run as public instance, for example, the public instance of the Rekor transparency log used to verify signatures. This section allows you to discover public instances run by the community and or organizations who host Sigstore services.

Sigstore Public Service

Use of Sigstore is sometimes transparent to users as its signing and verification functionality is seamlessly integrated with version control or build software. This section highlights open source and closed source tools, platforms and applications that integrate Sigstore functionality such that users of those tools may benefit from software signing and verification.

Artifact Hub
Enterprise Contract
Flux
GoReleaser
Harbor
Helm plugin for Sigstore
in-toto
JReleaser
Kubewarden
Kyverno
Open Policy Containers
Tekton Chains
The Update Framework (TUF)
Trivy

This section highlights open source and closed source software that use Sigstore for signing artifacts. That means that users of these tools are able to verify the integrity of artifacts using Sigstore.

Caddy
Cert Manager
Cilium
CPython
Fluent Bit
Flux (Signed With)
Istio
Jenkins X
Karpenter
Keda
Keptn
Knative
KubeEdge
Kubernetes
Kubewarden (Signed With)
Kyverno (Signed With)
Linkerd
Ockam
OpenTofu
Pulumi
Shipwright
Tekton
Tracee
updatecli
urllib3

This section showcases organizations that currently use Sigstore as part of their software supply chain security toolbox. That means the organizations are at a minimum signing internal artifacts with Sigstore. Each organization links to a specific case study to highlight how they are using Sigstore.

Autodesk
DB Schenker
Edgeless Systems
Rancher Government Solutions
Smallstep
Verizon