technical

From Code to Content: Sigstore's Expanding Reach

sig-share··9 min read
sigstorenpmpypinvidiamodel-signingrekorcosign

Sigstore's Quiet Revolution

When sigstore launched, it solved a specific problem: making code signing easy enough that developers would actually do it. Keyless signing, transparency logs, and identity-based certificates removed the friction that had kept most of the software ecosystem unsigned.

By early 2026, that bet has paid off. Sigstore is now embedded in the infrastructure that millions of developers depend on every day.

Package Registry Adoption

The numbers tell the story:

npm

npm reached GA for sigstore-powered provenance in September 2023. Over 3,800 projects adopted build provenance during the public beta, including 134 high-impact projects. More than 500 million total downloads of provenance-enabled package versions have been recorded.

PyPI

PyPI launched sigstore attestations at GA in November 2024. By 2025, 17% of all uploads to PyPI included an attestation, with over 50,000 projects using trusted publishing.

Maven Central

Maven Central adopted sigstore-signed attestations in January 2025, bringing the Java ecosystem into the fold.

Homebrew

Homebrew ships sigstore-signed in-toto attestations for all homebrew-core bottle builds since May 2024.

Beyond Code: AI Model Signing

The most striking expansion of sigstore's model is into AI/ML. In March 2025, NVIDIA began signing all models in the NGC Catalog using sigstore. This was the first major model hub to offer cryptographic signing for hosted models.

The OpenSSF Model Signing specification (v1.0) — developed by Google, NVIDIA, and HiddenLayer — establishes an industry standard for signing AI models using sigstore's keyless infrastructure. The same Fulcio certificates and Rekor transparency log entries that secure code now secure models.

Google uses sigstore internally to secure ML models across its infrastructure, including Kaggle integration for public model verification.

Infrastructure Milestones

The underlying infrastructure has matured significantly:

Rekor v2

Rekor v2 reached GA in January 2026, representing a complete architectural redesign. The backend now uses Trillian-Tessera (tile-backed transparency log) instead of the original Trillian, resulting in lower operational costs and better performance. The public instance now offers a 99.5% availability SLO.

Cosign v3

Cosign v3 made previously opt-in features the defaults: standardized bundle format, trust root files for verification, and OCI Image 1.1 referring artifacts for container signatures.

Security Research

In December 2025, Trail of Bits published research on using Rekor transparency log monitoring to catch malicious package releases — demonstrating that transparency logs are not just a record but an active security tool.

The Pattern Applies to Media

Every step in sigstore's expansion — from code to containers to AI models — follows the same pattern:

  1. Take an artifact that people need to trust
  2. Make signing frictionless with keyless, identity-based certificates
  3. Record every signing event in a public transparency log
  4. Let anyone verify without trusting the signer's infrastructure

Media content — photos, videos, and digital documents — is the next logical domain for this pattern. The artifact is a media file instead of a package. The signer is a creator instead of a developer. But the verification model is identical.

sig-share applies exactly this pattern. The sigstore-js library (v4.1.0) provides the JavaScript infrastructure for signing and verification. c2pa-js provides the manifest format. sig-share connects them with a transparency log designed for content provenance.

← Back to all articles