Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.

• Sigstore @ GitHub.
• Sigstore documentation.
• Streamline security with keyless signing and verification in GitLab @ GitLab.
• Annotate container images with build provenance using Cosign in GitLab CI/CD @ GitLab.