Lead Image © olegdudko, 123rf.com

Signing software artifacts

Sign Here

Article from ADMIN 90/2025

By Marcin Gastol

This tutorial on deploying Sigstore (Cosign, Rekor, Fulcio) for container and binary integrity on Ubuntu covers keyless compared with key-based models, Fulcio's OIDC trust, Rekor transparency usage, and verification policy design.

Sigstore [1] is an open source solution for cryptographically signing software artifacts and verifying those signatures in a transparent, tamper-evident manner. Created to improve software supply chain security by making signatures easy to use and difficult to subvert, the Sigstore ecosystem comprises three core components: Cosign, Fulcio, and Rekor.

Cosign [2] is the command-line tool that developers and CI/CD systems use to sign container images and other artifacts and to verify those signatures [3]. Fulcio is a lightweight certificate authority that issues short-lived signing certificates with the use of OpenID Connect (OIDC) identities. Rekor is a public transparency log that records metadata about each signing event in an immutable ledger. Together, these components let anyone verify who signed a piece of software and ensure that the signature is recorded on a public log, deterring and detecting tampering or mischief. This integration of Fulcio (for identity verification) and Rekor (for public logging) with the Cosign command-line interface (CLI) provides a modern approach to trust in software artifacts. Importantly, Cosign stores signatures as Open Container Initiative (OCI) artifacts in container registries next to the images themselves, so distributing and retrieving signatures is as straightforward as pulling container images.

Setting Up Cosign

Getting Cosign up and running on an Ubuntu system is straightforward. Because Cosign is distributed as a single binary, installation is by package managers or direct download. In recent Ubuntu releases, Cosign is available in the default repositories (universe), so you can install it with Apt: