Security  

Building Secure Software Supply Chains with Sigstore and Cosign

Introduction

Modern software development depends heavily on open-source packages, container images, CI/CD pipelines, cloud services, and third-party dependencies. While these tools accelerate development, they also introduce security risks throughout the software supply chain.

Recent software supply chain attacks have demonstrated that attackers often target build systems, package repositories, and deployment pipelines rather than attacking applications directly. As organizations increasingly adopt cloud-native architectures, securing the software supply chain has become a critical requirement.

This is where Sigstore and Cosign come into play.

Sigstore provides an open-source framework for securing software artifacts through signing, verification, and transparency logs. Cosign, a key component of Sigstore, enables developers to digitally sign and verify container images and other software artifacts.

In this article, you'll learn how Sigstore and Cosign work, why software supply chain security matters, and how to implement secure artifact signing in modern development workflows.

What Is Software Supply Chain Security?

A software supply chain includes every component involved in building and delivering software.

Typical supply chain:

Source Code
     │
     ▼
Build Pipeline
     │
     ▼
Container Image
     │
     ▼
Artifact Registry
     │
     ▼
Deployment Environment

Attackers can target any stage of this process.

Examples include:

  • Compromised dependencies

  • Malicious container images

  • Build server attacks

  • Unauthorized deployments

  • Package repository compromises

Supply chain security ensures software remains trustworthy throughout its lifecycle.

Why Traditional Trust Models Are Insufficient

Traditionally, organizations trust software artifacts based on their source.

Example:

Developer
    │
    ▼
Container Registry
    │
    ▼
Production Deployment

However, questions remain:

  • Who created the artifact?

  • Has it been modified?

  • Was it built by an approved pipeline?

  • Is it authentic?

Without verification mechanisms, answering these questions becomes difficult.

This challenge has driven adoption of artifact signing technologies.

What Is Sigstore?

Sigstore is an open-source project designed to improve software supply chain security.

Its primary goals are:

  • Simplified artifact signing

  • Public transparency

  • Identity-based trust

  • Automated verification

Sigstore provides several components:

Sigstore
   │
   ├── Cosign
   ├── Fulcio
   ├── Rekor
   └── Policy Tools

Together, these components create a secure trust framework for software artifacts.

Understanding Sigstore Components

Cosign

Cosign signs and verifies software artifacts.

Supported artifacts include:

  • Container images

  • Binaries

  • SBOMs

  • OCI artifacts

Fulcio

Fulcio acts as a certificate authority.

It issues short-lived certificates tied to verified identities.

Examples:

  • GitHub identities

  • Google accounts

  • Enterprise identities

Rekor

Rekor is a transparency log.

It records signing events publicly.

Benefits include:

  • Auditability

  • Tamper detection

  • Verification history

What Is Cosign?

Cosign is a command-line tool that enables cryptographic signing and verification of artifacts.

Workflow:

Build Artifact
      │
      ▼
Cosign Sign
      │
      ▼
Signed Artifact
      │
      ▼
Verification

Cosign integrates seamlessly with modern container ecosystems.

It supports:

  • Docker images

  • OCI registries

  • Kubernetes deployments

  • CI/CD pipelines

Why Artifact Signing Matters

Imagine a container image stored in a registry.

Without signing:

Container Image
      │
      ▼
Unknown Authenticity

With signing:

Container Image
      │
      ▼
Digital Signature
      │
      ▼
Verified Identity

Benefits include:

  • Proven authenticity

  • Tamper protection

  • Deployment trust

  • Compliance support

Signing establishes trust between producers and consumers.

Installing Cosign

Install Cosign using Homebrew:

brew install cosign

Using Chocolatey:

choco install cosign

Verify installation:

cosign version

Successful installation displays the installed version.

Signing a Container Image

Assume a container image exists:

docker.io/company/api:v1

Sign the image:

cosign sign docker.io/company/api:v1

Cosign will:

  1. Authenticate identity.

  2. Generate a signature.

  3. Store metadata.

  4. Record the event in Rekor.

The image is now cryptographically signed.

Verifying a Container Image

Verification ensures authenticity.

Example:

cosign verify docker.io/company/api:v1

Verification checks:

  • Signature validity

  • Identity information

  • Transparency log records

Example output:

Verification successful

Only trusted artifacts should be deployed.

Keyless Signing

One of Sigstore's most innovative features is keyless signing.

Traditional approach:

Private Key
      │
      ▼
Signing Process

Problems include:

  • Key storage complexity

  • Rotation requirements

  • Secret management

Sigstore approach:

Identity Provider
      │
      ▼
Fulcio Certificate
      │
      ▼
Artifact Signing

Benefits include:

  • Reduced key management

  • Improved security

  • Simplified workflows

Developers authenticate using existing identities.

Understanding Transparency Logs

Transparency logs improve trust.

Signing workflow:

Artifact
    │
    ▼
Signature
    │
    ▼
Rekor Log

Benefits:

  • Public verification

  • Tamper evidence

  • Historical tracking

Organizations can verify whether artifacts were legitimately signed.

Securing CI/CD Pipelines

Modern pipelines often look like this:

Source Code
      │
      ▼
GitHub Actions
      │
      ▼
Build Container
      │
      ▼
Push Registry

With Sigstore:

Source Code
      │
      ▼
Build Pipeline
      │
      ▼
Cosign Sign
      │
      ▼
Registry
      │
      ▼
Deployment

Every artifact becomes verifiable before deployment.

GitHub Actions Example

Example workflow:

name: Build

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Sign Image
        run: |
          cosign sign \
          myregistry/app:latest

This automatically signs images during CI/CD execution.

Verifying Images in Kubernetes

Organizations can prevent unsigned images from running.

Deployment flow:

Signed Image
      │
      ▼
Admission Controller
      │
      ▼
Kubernetes Cluster

Unsigned images are rejected.

Benefits:

  • Improved security

  • Policy enforcement

  • Compliance support

Only trusted workloads reach production.

Understanding SBOM Signing

Software Bill of Materials (SBOM) documents software components.

Example:

Application
    │
    ├── Library A
    ├── Library B
    └── Library C

Cosign can sign SBOMs:

cosign sign-blob sbom.json

This ensures dependency information remains trustworthy.

Real-World Use Cases

Organizations use Sigstore and Cosign for:

Container Security

Verifying container authenticity.

Kubernetes Security

Preventing untrusted deployments.

Open Source Distribution

Signing release artifacts.

Enterprise Compliance

Meeting regulatory requirements.

DevSecOps Automation

Integrating security into CI/CD pipelines.

Software Provenance

Tracking software origins and build history.

Sigstore vs Traditional Signing Approaches

FeatureTraditional SigningSigstore
Key ManagementComplexSimplified
Identity VerificationLimitedStrong
Transparency LogsNoYes
CI/CD IntegrationModerateExcellent
Open SourceVariesYes
Keyless SigningNoYes
Cloud Native SupportLimitedExcellent

Sigstore modernizes software signing for cloud-native environments.

Best Practices

Sign All Production Artifacts

Every deployable artifact should be signed.

Automate Signing

Integrate signing directly into CI/CD pipelines.

Verify Before Deployment

Reject unsigned artifacts.

Use Keyless Signing

Reduce operational overhead associated with key management.

Store Provenance Data

Maintain artifact history for auditing purposes.

Implement Admission Controls

Enforce signature validation in Kubernetes environments.

Monitor Transparency Logs

Review signing events regularly.

Conclusion

Software supply chain security has become one of the most important challenges in modern software development. As organizations increasingly rely on open-source software, cloud-native architectures, and automated deployment pipelines, verifying the authenticity and integrity of software artifacts is essential.

Sigstore and Cosign provide a modern, developer-friendly approach to software signing, verification, and transparency. By leveraging identity-based trust, keyless signing, transparency logs, and seamless CI/CD integration, organizations can significantly strengthen their software supply chain security posture.

Whether you're building containerized applications, managing Kubernetes environments, or distributing open-source software, implementing Sigstore and Cosign can help ensure that only trusted, verified software reaches production.