By completing this course, learners will:

• Install and configure Sigstore tools.

• Sign and verify container images and software artifacts.

• Use Fulcio for ephemeral keyless certificates.

• Record signatures in Rekor’s immutable transparency log.

• Integrate Sigstore into CI/CD and GitOps pipelines.

• Apply best practices for supply chain security.

Course Syllabus

Module 1: Introduction to Sigstore

• What is Sigstore?

• Supply chain security challenges

• Components: Cosign, Fulcio, Rekor

Module 2: Artifact Signing with Cosign

• Installing Cosign

• Keyless signing with OIDC identity

• Signing container images and binaries

• Verifying signatures

Module 3: Certificates with Fulcio

• Ephemeral certificates explained

• OIDC identity providers (GitHub, Google, etc.)

• Keyless authentication flows

• Integrating Fulcio with CI/CD

Module 4: Transparency with Rekor

• What is a transparency log?

• Recording signatures in Rekor

• Querying and auditing logs

• Ensuring immutability and accountability

Module 5: Integrations & Ecosystem

• Sigstore with Kubernetes manifests and Helm charts

• Cosign in CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins)

• Container registry integrations (Docker Hub, GCR, ECR, ACR)

• Open-source adoption and ecosystem tools

Module 6: Deployment & Scaling

• Deploying Sigstore services locally or in the cloud

• Scaling Rekor for enterprise use

• Monitoring and alerting

• Key management vs keyless workflows

Module 7: Real-World Projects

• Secure container supply chain with Cosign

• Verifying third-party dependencies in CI

• GitOps pipeline with signed Kubernetes manifests

• End-to-end software release signing

Module 8: Best Practices & Future Trends

• Policy enforcement with OPA + Sigstore

• SLSA levels and Sigstore integration

• OpenSSF and supply chain security ecosystem

• Future of artifact signing in open source

Learners will receive a Certificate of Completion from Uplatz, validating their expertise in Sigstore and software supply chain security. This certification demonstrates readiness for roles in DevSecOps, security engineering, and cloud-native development.

Sigstore skills prepare learners for roles such as:

• DevSecOps Engineer

• Cloud Security Engineer

• Supply Chain Security Specialist

• Kubernetes/Container Security Engineer

• Open Source Security Advocate

Sigstore is increasingly being adopted in open-source communities, enterprises, and cloud-native ecosystems to combat supply chain attacks, making it a cutting-edge career skill.

1. What is Sigstore?
An open-source project for signing, verifying, and securing software artifacts with keyless cryptography and transparency logs.

2. What are Sigstore’s main components?
Cosign (sign/verify artifacts), Fulcio (ephemeral certificates), and Rekor (transparency log).

3. How does Cosign work?
It signs container images and artifacts using either traditional keys or keyless OIDC-based identities.

4. What is keyless signing in Sigstore?
A process where ephemeral keys are issued by Fulcio, tied to an OIDC identity, eliminating long-lived keys.

5. What is Rekor’s role?
It maintains an immutable transparency log of signatures for auditability and accountability.

6. How does Sigstore improve supply chain security?
By ensuring artifact authenticity, integrity, and traceability through verifiable signatures and logs.

7. Can Sigstore integrate with Kubernetes?
Yes, it can sign and verify Kubernetes manifests and Helm charts.

8. What are the benefits of Sigstore?

• Simplifies artifact signing

• Eliminates key management complexity

• Ensures transparency and auditability

• Strong community and ecosystem adoption

9. What are challenges with Sigstore?

• Learning curve for new tools (Cosign, Rego)

• Scaling Rekor in large environments

• Integration overhead in legacy pipelines

10. Where is Sigstore being adopted?
By open-source projects, CNCF communities, and enterprises focused on supply chain security and compliance.