"Sigstore: Keyless Signing and Verification for Cloud-Native Software"
Software supply-chain security is no longer about whether you can sign artifacts—it's about whether you can prove, repeatedly and at scale, who produced them, under what identity, and with what verifiable evidence. This book targets experienced platform engineers, security engineers, and CI/CD owners who need production-grade trust decisions without the fragility of long-lived signing keys and ad hoc verification scripts.
You'll learn Sigstore's architecture and root-of-trust model, how OIDC identity becomes the signing primitive, and the complete keyless flow across Fulcio, Rekor, and deterministic verification. The book goes deep on Cosign as an operational tool: designing version-aware, reproducible signing and verification pipelines; encoding issuer/subject expectations; and handling interoperability and migration from key-managed approaches. It then extends "who signed" into "how it was built" via in-toto attestations, provenance, and policy-driven admission control, including rollout and exception strategies that don't quietly become backdoors.
Along the way, you'll build an operator's mental model: offline bundles for air-gapped verification, trust metadata distribution and rotation with TUF, monitoring via transparency to detect abnormal signing, and incident response playbooks for compromise scenarios. Readers should be comfortable with PKI concepts, container registries/OCI artifacts, and modern CI/CD systems; the focus is on rigor, failure modes, and real-world decision criteria rather than
