Main concepts

sigstore combines several different technologies that focus on automatic key management and transparency logs. They can be used independently or as one single process, and together they create a safer chain of custody tracing software back to the source.

Cosign (container signing, verification and storage)
Fulcio (root certificate authority)
Rekor (transparency log)
OpenID Connect (means of authentication)

Cosign

For container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.

Fulcio

A free root certification authority, issuing temporary certificates to an authorized identity and publishing them in the Rekor transparency log.

Rekor

A built in transparency and timestamping service, Rekor records signed metadata to a ledger that can be searched, but can’t be tampered with.

OpenID Connect

An identity layer that checks if you're who you say you are. It lets clients request and receive information about authenticated sessions and users.

Edit this page on GitHub Updated at Sat, May 21, 2022
sigstore Security model