Implementing Code Signing for Artifacts

When to Use

• When establishing artifact integrity verification to prevent supply chain tampering
• When compliance requires cryptographic proof that build artifacts are authentic and unmodified
• When distributing software to customers who need to verify publisher identity
• When implementing zero-trust deployment pipelines that reject unsigned artifacts
• When meeting SLSA Level 2+ requirements for provenance and integrity

Do not use for encrypting artifacts (signing provides integrity, not confidentiality), for container image signing specifically (use cosign), or for source code authentication (use commit signing).

Prerequisites

• GPG key pair for traditional signing or Sigstore account for keyless signing
• Code signing certificate from a Certificate Authority for public distribution
• CI/CD pipeline with access to signing keys or identity provider
• Verification infrastructure in deployment pipelines