Sigstore is an open-source project that makes signing, verifying, and auditing software artifacts as easy as using HTTPS β removing the burden of key management by tying signatures to short-lived OIDC identities instead of long-lived private keys. Cosign is the primary CLI tool in the Sigstore ecosystem, enabling teams to sign container images, blobs, Helm charts, and OCI artifacts, attach SBOM and provenance attestations, and enforce verification policies in Kubernetes admission controllers. This cheat sheet covers the full supply chain security workflow: from keyless signing flows and transparency log queries to SLSA provenance, Kyverno policies, Tekton Chains integration, and migration away from deprecated Docker Content Trust.
What This Cheat Sheet Covers
This topic spans 15 focused tables and 93 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Sigstore Architecture and Core Components
Sigstore is built on three interlocking services that together provide signing, certificate issuance, and public auditability without requiring signers to manage long-lived keys. Understanding how Fulcio, Rekor, and the trust root (TUF) fit together is the prerequisite for all other Sigstore concepts.
| Component | Example | Description |
|---|---|---|
cosign sign --yes ghcr.io/org/app:abc | β’ CLI tool for signing, verifying, and attaching attestations to container images and OCI artifacts β’ part of the Sigstore project | |
https://fulcio.sigstore.dev | β’ Free, open-source Certificate Authority that issues short-lived X.509 certificates (10-minute TTL) bound to an OIDC identity β’ uses certificate transparency log | |
https://rekor.sigstore.dev | β’ Append-only, tamper-evident transparency log for software signatures backed by a Merkle tree β’ provides publicly auditable inclusion proofs |