OtherInternational (OpenSSF)
Sigstore — Software Artifact Signing and Verification
Sigstore is a set of open-source tools for signing, verifying, and protecting software artifacts. Created by Google, Red Hat, and Purdue University, now under the OpenSSF.
Domains
Verification and Trust
Rekor - Transparency Log
Fulcio - Certificate Authority
Cosign - Artifact Signing
Compare Sigstore — Software Artifact Signing and Verification
Sigstore — Software Artifact Signing and Verification vs ISO 27001:2022View comparison →Sigstore — Software Artifact Signing and Verification vs SOC 2View comparison →Sigstore — Software Artifact Signing and Verification vs NIST CSF 2.0View comparison →Sigstore — Software Artifact Signing and Verification vs GDPRView comparison →Sigstore — Software Artifact Signing and Verification vs HIPAAView comparison →Sigstore — Software Artifact Signing and Verification vs PCI DSS 4.0View comparison →
Sigstore — Software Artifact Signing and Verification by Industry
Sigstore — Software Artifact Signing and Verification for Healthcare→Sigstore — Software Artifact Signing and Verification for Financial Services→Sigstore — Software Artifact Signing and Verification for Technology→Sigstore — Software Artifact Signing and Verification for Government→Sigstore — Software Artifact Signing and Verification for Manufacturing→Sigstore — Software Artifact Signing and Verification for Energy→Sigstore — Software Artifact Signing and Verification for Retail→Sigstore — Software Artifact Signing and Verification for Education→
Sigstore — Software Artifact Signing and Verification by Role
Sigstore — Software Artifact Signing and Verification for CISOs→Sigstore — Software Artifact Signing and Verification for Compliance Officers→Sigstore — Software Artifact Signing and Verification for Risk Managers→Sigstore — Software Artifact Signing and Verification for IT Directors→Sigstore — Software Artifact Signing and Verification for DPOs→Sigstore — Software Artifact Signing and Verification for Auditors→
Frequently Asked Questions
What is Sigstore?
Sigstore is a set of open-source tools for signing, verifying, and protecting software artifacts. Created by Google, Red Hat, and Purdue University, now under the OpenSSF.
How many controls does Sigstore have?
Sigstore contains 13 controls organized across 4 domains.
Where does Sigstore apply?
Sigstore is applicable in International (OpenSSF). Organizations operating in or serving customers in this jurisdiction should evaluate its requirements.
What frameworks does Sigstore map to?
Sigstore has control-to-control mappings with 441 other compliance frameworks in our database. Use our compliance platform to explore these mappings interactively.
How do I get started with Sigstore compliance?
Start by understanding the framework's key controls and domains. Our compliance platform provides AI-powered gap analysis and mapping tools to help you assess your current posture and build a remediation plan.
How ready are you for Sigstore — Software Artifact Signing and Verification?
Answer 25 questions and get a professional readiness report with gap analysis, maturity scores, and prioritised action items. Results in 5 minutes.