implementing-code-signing-for-artifacts

Featured

This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific signing tools, establishing trust chains, and verifying signatures in deployment pipelines.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Code Signing for Artifacts ## When to Use - When establishing artifact integrity verification to prevent supply chain tampering - When compliance requires cryptographic proof that build artifacts are authentic and unmodified - When distributing software to customers who need to verify publisher identity - When implementing zero-trust deployment pipelines that reject unsigned artifacts - When meeting SLSA Level 2+ requirements for provenance and integrity **Do not use** for encrypting artifacts (signing provides integrity, not confidentiality), for container image signing specifically (use cosign), or for source code authentication (use commit signing). ## Prerequisites - GPG key pair for traditional signing or Sigstore account for keyless signing - Code signing certificate from a Certificate Authority for public distribution - CI/CD pipeline with access to signing keys or identity provider - Verification infrastructure in deployment pipelines ## Workflow ### Step 1: Generate and Manage Signing Keys ```bash # Generate GPG key for artifact signing gpg --full-generate-key --batch <<EOF Key-Type: eddsa Key-Curve: ed25519 Subkey-Type: eddsa Subkey-Curve: ed25519 Name-Real: CI Build System Name-Email: ci-signing@company.com Expire-Date: 1y %no-protection EOF # Export public key for distribution gpg --armor --export ci-signing@company.com > signing-key.pub # Export private key for CI/CD (store in secrets manager) gpg --armor --export-secret-keys ci-signing@c...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

sigstore-signing

Sign container images and artifacts with cosign (keyless via OIDC and key-based); verify signatures in CD pipelines and admission policies.

14 Updated 3 days ago
sawrus
AI & Automation Featured

implementing-sigstore-for-software-signing

Implements Sigstore-based software signing and verification using Cosign keyless signing, Rekor transparency log verification, and Fulcio certificate authority integration to establish cryptographic provenance for container images, binaries, and software artifacts. The practitioner configures OIDC-based identity binding, verifies signing events against the Rekor transparency log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving software supply chain signing, keyless container signing, Sigstore deployment, or artifact provenance verification.

12,642 Updated today
mukul975
AI & Automation Solid

azure-artifact-signing

Expert knowledge for Azure Artifact Signing development including best practices, decision making, security, configuration, and integrations & coding patterns. Use when managing signing cert lifecycle, RBAC roles, DGSSv2 migration, diagnostic logs, or CI/CD signing workflows, and other Azure Artifact Signing related development tasks.

562 Updated today
MicrosoftDocs
AI & Automation Solid

pipeline-security

Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.

14 Updated 3 days ago
sawrus
AI & Automation Solid

windows-authenticode-signer

Sign Windows executables with Authenticode using signtool, supporting EV and standard certificates

1,034 Updated today
a5c-ai