Join us

ContentUpdates and recent posts about Sigstore..
Discovery IconThat's all about @Sigstore — explore more posts below...
Story
laura_garcia
@laura_garcia shared a post, 3 hours ago
Software Developer, RELIANOID

SOC2 compliance

🔐 𝗦𝗢𝗖 𝟮 alignment is about trust, resilience, and doing security right by design. At 𝗥𝗘𝗟𝗜𝗔𝗡𝗢𝗜𝗗, our load balancing and application delivery platform is aligned with the 𝗦𝗢𝗖 𝟮 𝗧𝗿𝘂𝘀𝘁 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗖𝗿𝗶𝘁𝗲𝗿𝗶𝗮—𝗰𝗼𝘃𝗲𝗿𝗶𝗻𝗴 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆, 𝗔𝘃𝗮𝗶𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆, 𝗖𝗼𝗻𝗳𝗶𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝗶𝘁𝘆, 𝗣𝗿𝗼𝗰𝗲𝘀𝘀𝗶𝗻𝗴 𝗜𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆, 𝗮𝗻𝗱 𝗣𝗿𝗶𝘃𝗮𝗰𝘆. From encryption ..

Share: Twitter

|

Linkedin

|

Facebook

|

Reddit

|

Hacker News

|

Email
 Activity
kevin-faun
@kevin-faun started using tool BOOM , 6 hours, 13 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool vLLM , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool Kubernetes , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool Istio , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool GPT-5.3-Codex , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool Google Kubernetes Engine (GKE) , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool Claude Code , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool Azure Kubernetes Service (AKS) , 12 hours, 6 minutes ago.
 Activity
goutham-annem
@goutham-annem started using tool AWS EKS , 12 hours, 6 minutes ago.
Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.