implementing-sigstore-for-software-signing
Installation
SKILL.md
Implementing Sigstore for Software Signing
When to Use
- Signing container images and software artifacts without managing long-lived cryptographic keys
- Establishing verifiable provenance for build outputs in CI/CD pipelines using OIDC identity binding
- Querying the Rekor transparency log to audit when and by whom an artifact was signed
- Verifying that container images pulled from registries were signed by authorized identities and issuers
- Integrating Sigstore verification into Kubernetes admission controllers to enforce signed-image policies
Do not use for signing artifacts that require air-gapped or offline signing workflows where OIDC authentication is unavailable, for environments that cannot reach the public Sigstore infrastructure (Fulcio, Rekor) and have no private instance deployed, or as a replacement for traditional PGP/GPG signing where regulatory compliance mandates specific key management procedures.
Prerequisites
- Cosign CLI v2.4+ installed (
go install github.com/sigstore/cosign/v2/cmd/cosign@latestor binary release) - Access to an OIDC identity provider supported by Fulcio (Google, GitHub, Microsoft, or a custom OIDC issuer)
- Container registry credentials (for signing container images) with push access to store signature objects
- Python 3.9+ with
sigstore,requests, andcryptographypackages for the automation agent - Network access to
fulcio.sigstore.dev,rekor.sigstore.dev, andtuf-repo-cdn.sigstore.dev(or private Sigstore instance URLs)