Trial
Sigstore is an open-source project providing keyless signing and verification for software artifacts. Its three components — Cosign (signs/verifies), Fulcio (issues certificates), and Rekor (transparency log) — are becoming the industry standard for artifact provenance, now extending to AI model signing via the OpenSSF Model Signing specification.
Why It Matters for AI-Assisted Development
Supply chain integrity matters for AI artifacts too — model weights, configs, and tokenizers can be tampered with. Sigstore is the foundation:
- Keyless Signing: Developer authenticates via OIDC (GitHub, Google), Fulcio issues a short-lived certificate, the artifact is signed, the signature is recorded in Rekor's immutable log, and the key is discarded. No long-lived keys to manage.
- AI Model Signing: NVIDIA's NGC uses Sigstore for model signing. The OpenSSF Model Signing (OMS) specification builds on Sigstore infrastructure for any model format.
- Broad Ecosystem Adoption: Homebrew, PyPI, Maven Central, npm, and Kubernetes all use Sigstore. Cosign v3 is GA; Rekor v2 is GA with redesigned tile-backed transparency log.
Strengths
- Keyless signing eliminates key management burden
- Transparency log provides public auditability
- Broad and growing ecosystem adoption
- Extending to AI/ML model signing via OMS
- Fully open-source (Apache-2.0); public infrastructure free to use
Limitations
- Public verification exposes metadata (concern for some enterprises)
- Tooling primarily focused on GitHub CI — Azure Pipelines, Jenkins less supported
- Still maturing for non-container use cases
- Learning curve for teams unfamiliar with signing concepts
Pricing
Fully open-source. Public Sigstore infrastructure (Fulcio, Rekor) is free to use. Enterprises can self-host.