Skip to main content

Signing

Cryptographic signing of artifacts to allow for verification of the consistency and integrity of the data they contain. Data frequently includes source code commits, configs, binaries and meta-data but can also be any data blob. Cryptographic signatures can also provide attribution and provenance data (lineage and chain of custody). When combined with attestations (meta-data with a specific predicate in regards to the material being signed) they can be used to build up “trust telemetry” or verifiable signals about the material and how it was processed. These are foundational elements of a Secure Software Supply Chain.

  • Allows for verifying Consistency and Integrity of contents
  • Can also provide provenance and attribution
  • Can be combined with attestations to create "Trust Telemetry"
  • Foundational to Secure Software Supply Chain practices
  • Common tools to perform signing include:
    • Sigstore
    • PGP
    • PKCS #11