Sigstore

Sigstore is a set of free-to-use open source tools for signing, verifying, and protecting software supply chain artifacts. It provides a transparent and auditable signing infrastructure that eliminates the need for managing signing keys, making software supply chain security more accessible. The Sigstore ecosystem includes Cosign for artifact signing, Fulcio as the certificate authority, and Rekor as the cryptographically secure transparency log.

3 APIs 0 Features

Certificate AuthorityCode SigningContainersCryptographyOpen SourcePKISecuritySoftware Supply ChainTransparency Log

GitHubOrganization

Policy Controller

Sources

aid: sigstore
name: Sigstore
description: >-
  Sigstore is a set of free-to-use open source tools for signing, verifying, and protecting software supply chain
  artifacts. It provides a transparent and auditable signing infrastructure that eliminates the need for managing
  signing keys, making software supply chain security more accessible. The Sigstore ecosystem includes Cosign for
  artifact signing, Fulcio as the certificate authority, and Rekor as the cryptographically secure transparency log.
type: Index
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
  - Certificate Authority
  - Code Signing
  - Containers
  - Cryptography
  - Open Source
  - PKI
  - Security
  - Software Supply Chain
  - Transparency Log
url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/apis.yml
created: '2026-03-26'
modified: '2026-05-19'
specificationVersion: '0.19'
apis:
  - aid: sigstore:rekor
    name: Rekor Transparency Log API
    description: >-
      Rekor is a cryptographically secure, immutable transparency log for signed software releases. The Rekor API
      enables searching the transparency log, retrieving log entries, checking proofs, and querying the log's public
      key. The public-good instance runs at rekor.sigstore.dev.
    humanURL: https://docs.sigstore.dev/logging/overview/
    baseURL: https://rekor.sigstore.dev
    tags:
      - Cryptography
      - Security
      - Software Supply Chain
      - Transparency Log
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/logging/overview/
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/openapi/rekor-openapi.yaml
      - type: GitHubRepository
        url: https://github.com/sigstore/rekor
      - type: Rules
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/rules/sigstore-rules.yml
  - aid: sigstore:fulcio
    name: Fulcio Certificate Authority API
    description: >-
      Fulcio is Sigstore's free Root Certificate Authority for code signing certificates. It issues short-lived signing
      certificates to software producers based on OIDC authentication. The API provides endpoints for obtaining signing
      certificates, retrieving trust bundles, and querying CA configuration. The public instance runs at
      fulcio.sigstore.dev.
    humanURL: https://docs.sigstore.dev/certificate_authority/overview/
    baseURL: https://fulcio.sigstore.dev
    tags:
      - Certificate Authority
      - Code Signing
      - Cryptography
      - OIDC
      - PKI
      - Security
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/certificate_authority/overview/
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/openapi/fulcio-openapi.json
      - type: GitHubRepository
        url: https://github.com/sigstore/fulcio
  - aid: sigstore:cosign
    name: Cosign
    description: >-
      Cosign is the Sigstore tool for signing and verifying container images and other OCI artifacts. It enables keyless
      signing using OIDC identity, hardware token signing, and policy enforcement for container supply chain security.
    humanURL: https://docs.sigstore.dev/cosign/signing/overview/
    tags:
      - Code Signing
      - Containers
      - OCI
      - Security
      - Software Supply Chain
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/cosign/signing/overview/
      - type: GitHubRepository
        url: https://github.com/sigstore/cosign
common:
  - type: LinkedIn
    url: https://www.linkedin.com/company/sigstore
  - type: Website
    url: https://www.sigstore.dev/
  - type: Documentation
    url: https://docs.sigstore.dev/
  - type: GettingStarted
    url: https://docs.sigstore.dev/quickstart/quickstart-cosign/
  - type: GitHubOrganization
    url: https://github.com/sigstore
  - type: Blog
    url: https://blog.sigstore.dev/
  - type: Community
    url: https://sigstore.dev/community/
  - type: Policy Controller
    url: https://docs.sigstore.dev/policy-controller/overview/
  - type: Security
    url: https://docs.sigstore.dev/about/security/
  - type: Vocabulary
    url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/vocabulary/sigstore-vocabulary.yml
maintainers:
  - FN: Kin Lane
    email: kin@apievangelist.com

Sigstore

APIs

Rekor Transparency Log API

Fulcio Certificate Authority API

Cosign

Semantic Vocabularies

Sigstore Context

API Governance Rules

Sigstore API Rules

Resources

Sources