Sigstore

Sigstore is a set of free-to-use open source tools for signing, verifying, and protecting software supply chain artifacts. It provides a transparent and auditable signing infrastructure that eliminates the need for managing signing keys, making software supply chain security more accessible. The Sigstore ecosystem includes Cosign for artifact signing, Fulcio as the certificate authority, and Rekor as the cryptographically secure transparency log.

3 APIs 1 Capabilities 0 Features

Certificate AuthorityCode SigningContainersCryptographyOpen SourcePKISecuritySoftware Supply ChainTransparency Log

Run Capabilities with Naftiko — Deploy and orchestrate these API capabilities using Naftiko Fleet.

GitHub Organization

Policy Controller

Sources

aid: sigstore
name: Sigstore
description: >-
  Sigstore is a set of free-to-use open source tools for signing, verifying,
  and protecting software supply chain artifacts. It provides a transparent
  and auditable signing infrastructure that eliminates the need for managing
  signing keys, making software supply chain security more accessible.
  The Sigstore ecosystem includes Cosign for artifact signing, Fulcio as
  the certificate authority, and Rekor as the cryptographically secure
  transparency log.
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
  - Certificate Authority
  - Code Signing
  - Containers
  - Cryptography
  - Open Source
  - PKI
  - Security
  - Software Supply Chain
  - Transparency Log
url: >-
  https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/apis.yml
created: '2026-03-26'
modified: '2026-05-02'
specificationVersion: '0.19'
apis:
  - aid: sigstore:rekor
    name: Rekor Transparency Log API
    description: >-
      Rekor is a cryptographically secure, immutable transparency log for signed
      software releases. The Rekor API enables searching the transparency log,
      retrieving log entries, checking proofs, and querying the log's public key.
      The public-good instance runs at rekor.sigstore.dev.
    humanURL: https://docs.sigstore.dev/logging/overview/
    baseURL: https://rekor.sigstore.dev
    tags:
      - Cryptography
      - Security
      - Software Supply Chain
      - Transparency Log
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/logging/overview/
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/openapi/rekor-openapi.yaml
      - type: GitHub Repository
        url: https://github.com/sigstore/rekor
      - type: Rules
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/rules/sigstore-rules.yml

  - aid: sigstore:fulcio
    name: Fulcio Certificate Authority API
    description: >-
      Fulcio is Sigstore's free Root Certificate Authority for code signing certificates.
      It issues short-lived signing certificates to software producers based on OIDC
      authentication. The API provides endpoints for obtaining signing certificates,
      retrieving trust bundles, and querying CA configuration. The public instance
      runs at fulcio.sigstore.dev.
    humanURL: https://docs.sigstore.dev/certificate_authority/overview/
    baseURL: https://fulcio.sigstore.dev
    tags:
      - Certificate Authority
      - Code Signing
      - Cryptography
      - OIDC
      - PKI
      - Security
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/certificate_authority/overview/
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/openapi/fulcio-openapi.json
      - type: GitHub Repository
        url: https://github.com/sigstore/fulcio

  - aid: sigstore:cosign
    name: Cosign
    description: >-
      Cosign is the Sigstore tool for signing and verifying container images and
      other OCI artifacts. It enables keyless signing using OIDC identity, hardware
      token signing, and policy enforcement for container supply chain security.
    humanURL: https://docs.sigstore.dev/cosign/signing/overview/
    tags:
      - Code Signing
      - Containers
      - OCI
      - Security
      - Software Supply Chain
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/cosign/signing/overview/
      - type: GitHub Repository
        url: https://github.com/sigstore/cosign

common:
  - type: Website
    url: https://www.sigstore.dev/
  - type: Documentation
    url: https://docs.sigstore.dev/
  - type: Getting Started
    url: https://docs.sigstore.dev/quickstart/quickstart-cosign/
  - type: GitHub Organization
    url: https://github.com/sigstore
  - type: Blog
    url: https://blog.sigstore.dev/
  - type: Community
    url: https://sigstore.dev/community/
  - type: Policy Controller
    url: https://docs.sigstore.dev/policy-controller/overview/
  - type: Security
    url: https://docs.sigstore.dev/about/security/
  - type: Vocabulary
    url: https://raw.githubusercontent.com/api-evangelist/sigstore/refs/heads/main/vocabulary/sigstore-vocabulary.yml
maintainers:
  - FN: Kin Lane
    email: [email protected]

Sigstore

APIs

Rekor Transparency Log API

Fulcio Certificate Authority API

Cosign

Capabilities

Sigstore Software Supply Chain Security

Semantic Vocabularies

Sigstore Context

API Governance Rules

Sigstore API Rules

Resources

Sources