security

Sigstore

Sigstore Code Signing

Definition

Sigstore is a free, open-source project that makes code signing accessible for software artifacts by using short-lived certificates tied to OIDC identities instead of long-lived private keys. Signatures are recorded in a transparency log (Rekor) that provides tamper-evident proof of signing events.

Sigstore is rapidly becoming the standard for signing container images, npm packages, and Python distributions.

Related Terms

SLSA

Supply Chain Levels for Software Artifacts

OpenSSF

Open Source Security Foundation

PKI

Public Key Infrastructure

← Back to Glossary

Ship secure code faster

Crash Override integrates security into the developer workflow. No context switching, no waiting on reviews.

Talk to a Human See the Product