Sigstore – A new standard for signing, verifying and protecting software

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • OPS - Build and Run Open Source Unikernels
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • GitHub repo rekor

    Supply Chain Transparency Log

  • GitHub repo cargo-crev

    A cryptographically verifiable code review system for the cargo (Rust) package manager.

    The reviewing aspect sounds a lot like cargo-crev. [1]


  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • GitHub repo Rustup

    The Rust toolchain installer

    This is pretty cool and i think one of the good application areas of distributed ledger technology.

    Signing is still a hard problem, even for established projects like Rust. Right now, rustup does not verify signatures in any way or form. The security is solely thanks to https and the S3 bucket not being compromised.

  • GitHub repo fulcio

    Sigstore WebPKI

    Did you follow the link to the project list on Github? The actual tool for doing the signing, cosign, is just a binary you can install on your device and generate signatures and keys yourself. The "service" part of it seems to just be having your public certificate vouched for by a trusted code signing CA. I don't see anything in the tooling that requires your users to only trust that CA. If you want to sign your cert with your own CA and tell your users to trust that instead, they seemingly can do that, just as you can do that today in browsers. That you can't do it with Firefox extensions and mobile app stores is a limitation intentionally built into the distribution channel. It's not a limitation of PKI itself. iOS, Android, and Mozilla could have chosen to let users install arbitrary trusted CAs. You shouldn't dismiss all PKI based on the fact that a few vendors have chosen to implement it in a crappy way to make walled gardens.

    It doesn't say this on the announcement, but looking at the actual PKI service (, it seems to be entirely possible to self-host the service and roll your own CA.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts