establish root of trust, serves publickeys & root CA cert that clients can verify with Fulcio CA server issues short-lived code signing certificates based on authenticated OIDC identity Certificate Transparency Log append-only immutable, verifiable transparency log that stores the signing certificates Rekor API-based server for validation and a transparency log for storage Trillian backend for Rekor -implementation of the transparency log - tamper-proof append-only Rekor CLI verify an artifact is stored within the transparency log, query the log, and retrieval of entries Cosign container signing tool Gitsign keyless signing for Git commits Helm upstream Sigstore scaffold chart with OpenShift specific configuration & resources
Transparency log for signatures and provenance attestations ▸ All cryptographically verifiable, auditable, community operated [ Diagram from Sigstore documentation ]
Admission Controller Integration with policy enforcement tools, such as OPA Gatekeeper and Kyverno, and RH Advanced Cluster Security Tekton Chains Image and artifact signing as part of CI/CD workflows (also GitHub Actions) Sigstore Integrations
provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you