technical

How Sigstore Works: A Primer for Media

sig-share··8 min read
sigstorefulciorekorkeyless-signingtransparency-log

The Sigstore Model

Sigstore is an open-source project that made code signing radically simpler. Before sigstore, developers had to manage cryptographic keys — generating them, storing them securely, rotating them. Most didn't bother. Sigstore eliminated that friction with three innovations:

Keyless Signing with Fulcio

Instead of managing long-lived keys, sigstore uses your existing identity (Google, GitHub, Microsoft account) to issue short-lived signing certificates. You prove who you are via OpenID Connect (OIDC), and Fulcio — sigstore's certificate authority — issues an ephemeral certificate valid for just minutes. The key is used once and discarded.

This is a paradigm shift: identity replaces key management. You don't need to be a cryptography expert to sign your work.

Transparency Logs with Rekor

Every signing event is recorded in Rekor, an append-only transparency log modeled on Certificate Transparency. This log is:

  • Public: Anyone can read it and verify entries
  • Append-only: Entries cannot be deleted or modified after submission
  • Auditable: Independent monitors can verify the log's integrity

The log provides a permanent, tamper-proof record that a particular identity signed a particular artifact at a particular time.

Verification Without Trust

To verify a signature, you don't need to trust the signer's infrastructure. You check the transparency log. If the entry exists and the certificate chain is valid, the signature is authentic. This is verification without trust — or more precisely, trust distributed across an open, auditable system.

Applying the Model to Media

Sigstore was built for software artifacts — container images, npm packages, binary releases. But the underlying model maps directly to media content:

Sigstore (Code)sig-share (Media)
Developer signs a releaseCreator signs a photo or video
Fulcio issues ephemeral certIdentity-based signing cert for creator
Rekor logs the signing eventTransparency log records content signature
Consumer verifies packageViewer verifies media provenance

The content hash replaces the software artifact hash. The creator's identity replaces the developer's identity. The verification flow is identical.

What sig-share Adds

Media has requirements that code doesn't:

  • Edit chains: Content is edited through multiple tools. Each edit needs its own checkpoint in the provenance chain.
  • Device identity: The camera or device that captured the original content is part of the provenance story.
  • Visual verification: End users need simple, visual confirmation — not command-line output.
  • C2PA alignment: The media industry has its own emerging standard (C2PA) that sig-share integrates with rather than replacing.

sig-share builds on sigstore's proven infrastructure while extending it for the unique needs of digital media.

← Back to all articles