0PricingLogin
Cyber Security Academy · Lesson

Dependency and Artifact Signing

Verifying provenance with SLSA and Sigstore.

Why Provenance Matters

An SBOM tells you what is inside an artifact. Provenance tells you where it came from and how it was built. Signing binds an artifact to a verifiable origin so consumers can reject anything that was not produced by your trusted pipeline.

Without provenance, an attacker who swaps a tarball in your registry is indistinguishable from a legitimate release.

Digests, Not Tags

The foundation of integrity is content addressing. A cryptographic hash (digest) of an artifact uniquely identifies that exact bytes. Mutable tags like latest can be re-pointed; a digest cannot.

# pull by immutable digest, not a tag
docker pull my-app@sha256:1d52838af602b4b5a831beb13a0e4d073280665ea7be7f69ce2382f29c5a613f

# compute a file digest
sha256sum release-1.4.0.tar.gz

All lessons in this course

  1. Supply Chain Threats
  2. Software Bill of Materials (SBOM)
  3. Dependency and Artifact Signing
  4. Securing CI/CD Pipelines
← Back to Cyber Security Academy