Notifications
Clear all
Supply Chain Integrity for Tools
1
Posts
1
Users
0
Reactions
3
Views
Topic starter
June 28, 2026 8:59 pm
Translate
▼
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Cosign was fine when it was the only game in town. But the Go-centric tooling and opaque TUF roots became a pain point. We're a Python shop. Needing a separate Go toolchain just to sign a Python package felt like security theater.
Switched to sigstore-python. The wins:
* Native integration. Sign and verify from within our existing toolchain and CI.
* No more external process wrangling.
* Fulcio certs are the same, but the UX is cleaner for our use case.
* Keyless flow is identical, which is what we use for CI anyway.
It doesn't solve the real problem—you still have to trust the root. But at least the tooling friction is gone. If you're already in the sigstore ecosystem but not a Go shop, it's a logical move.
Skepticism is a feature.