SIGSTORE
Open-source artifact signing via OIDC keyless.
Definition
Sigstore comprises: Cosign (CLI signing), Fulcio (short-lived certs CA), Rekor (immutable transparency log), Gitsign (commit signing). OIDC providers: Google, GitHub, Microsoft, Sigstore. Used by Kubernetes, npm registry, Docker Hub trust delegation. Apache 2.0 license.
Origin
Launched by Red Hat, Google, Linux Foundation in 2021.
Example in context
cosign sign --identity-token $TOKEN gcr.io/myapp:v1 signs image via GitHub OIDC.
Related terms
- Cosign — main CLI.