What is Sigstore?
Open-source supply-chain attestation infrastructure: Cosign (signing tool), Rekor (transparency log), Fulcio (CA). Securie publishes attestations to Rekor for public verifiability.
Full explanation
Sigstore lets developers sign artifacts using identity-based ephemeral keys (via Fulcio) + publish to a public transparency log (Rekor) for audit. Securie's attestation chain optionally publishes every finding/patch/SBOM/AIBOM attestation to Rekor — auditors verify with cosign verify-blob.
Example
Set REKOR_URL in Securie's env; every signed envelope publishes to https://rekor.sigstore.dev/. Auditor verifies with `cosign verify-blob --certificate-identity ...` against Securie's signing identity.
FAQ
Is Rekor required?
No — Securie's signing chain works standalone. Rekor adds public transparency for organizations that want it.