This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific signing tools, establishing trust chains, and verifying signatures in deployment pipelines.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-code-signing-for-artifactsExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-code-signing-for-artifacts from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-code-signing-for-artifacts. Access via /implementing-code-signing-for-artifacts in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Use skill to generate boilerplate code, refactor legacy code, and write tests faster
Example
Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes
Reduce development time by 40-60% for repetitive coding tasks
Systematically review code for bugs, security issues, and style violations
Example
Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities
Catch 70%+ of code issues before human review, improve code quality
Trace errors through stack traces and identify root causes faster
Example
Analyze error logs, suggest probable causes, recommend fixes with code examples
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-code-signing-for-artifacts |
| description | 'This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific signing tools, establishing trust chains, and verifying signatures in deployment pipelines. ' |
| domain | cybersecurity |
| subdomain | devsecops |
| tags | - devsecops - cicd - code-signing - supply-chain - sigstore - secure-sdlc |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - GV.SC-07 - ID.IM-04 - PR.PS-04 |
Do not use for encrypting artifacts (signing provides integrity, not confidentiality), for container image signing specifically (use cosign), or for source code authentication (use commit signing).
# Generate GPG key for artifact signing
gpg --full-generate-key --batch <<EOF
Key-Type: eddsa
Key-Curve: ed25519
Subkey-Type: eddsa
Subkey-Curve: ed25519
Name-Real: CI Build System
Name-Email: [email protected]
Expire-Date: 1y
%no-protection
EOF
# Export public key for distribution
gpg --armor --export [email protected] > signing-key.pub
# Export private key for CI/CD (store in secrets manager)
gpg --armor --export-secret-keys [email protected] > signing-key.priv
# .github/workflows/build-sign.yml
name: Build and Sign
on:
push:
tags: ['v*']
jobs:
build-sign:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write # For Sigstore keyless signing
steps:
- uses: actions/checkout@v4
- name: Build artifacts
run: |
make build
sha256sum dist/* > dist/checksums.sha256
- name: Import GPG Key
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
gpg --list-secret-keys
- name: Sign artifacts
run: |
for file in dist/*; do
gpg --detach-sign --armor --local-user [email protected] "$file"
done
- name: Install cosign for keyless signing
uses: sigstore/cosign-installer@v3
- name: Keyless sign with Sigstore
run: |
for file in dist/*.tar.gz; do
cosign sign-blob "$file" \
--output-signature "${file}.sig" \
--output-certificate "${file}.cert" \
--yes
done
- name: Create Release with signed artifacts
uses: softprops/action-gh-release@v2
with:
files: |
dist/*
dist/*.asc
dist/*.sig
dist/*.cert
# Verify GPG signature
gpg --import signing-key.pub
gpg --verify artifact.tar.gz.asc artifact.tar.gz
# Verify Sigstore keyless signature
cosign verify-blob artifact.tar.gz \
--signature artifact.tar.gz.sig \
--certificate artifact.tar.gz.cert \
--certificate-identity [email protected] \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# Verify checksums
sha256sum --check checksums.sha256
{
"scripts": {
"prepublishOnly": "npm run build && npm run test"
},
"publishConfig": {
"provenance": true
}
}
# Publish npm package with provenance attestation
npm publish --provenance
| Term | Definition |
|---|---|
| Code Signing | Cryptographic process of signing software artifacts to verify publisher identity and artifact integrity |
| Detached Signature | Signature stored in a separate file from the artifact, allowing independent distribution |
| Keyless Signing | Sigstore's approach using short-lived certificates tied to OIDC identities instead of long-lived keys |
| Provenance | Metadata describing how, where, and by whom an artifact was built |
| Transparency Log | Append-only log (Rekor) that records all signing events for public auditability |
| Trust Chain | Hierarchical chain from root CA to signing certificate establishing trust in the signer's identity |
| SLSA | Supply-chain Levels for Software Artifacts — framework defining levels of supply chain security |
Context: An open-source project needs to sign release artifacts so users can verify authenticity and detect tampering.
Approach:
cosign sign-blob using OIDC identityPitfalls: GPG key compromise requires revoking and re-signing all artifacts. Sigstore keyless signing avoids this by using ephemeral keys. Long-lived signing keys in CI/CD secrets are a supply chain risk if the CI system is compromised.
Artifact Signing Report
========================
Pipeline: Build and Sign v2.3.0
Date: 2026-02-23
Signing Method: Sigstore Keyless + GPG
SIGNED ARTIFACTS:
app-v2.3.0-linux-amd64.tar.gz
GPG: PASS ([email protected], EdDSA/Ed25519)
Sigstore: PASS (Rekor entry: 24658135, Fulcio cert issued)
SHA256: a1b2c3d4...
app-v2.3.0-darwin-arm64.tar.gz
GPG: PASS
Sigstore: PASS (Rekor entry: 24658136)
SHA256: e5f6g7h8...
checksums.sha256
GPG: PASS (detached signature)
TRANSPARENCY LOG:
Entries recorded: 3
Log index range: 24658135-24658137
Verification: https://search.sigstore.dev
Cut debugging time by 30-50%, especially for unfamiliar codebases
Get explanations, examples, and best practices for unfamiliar frameworks
Example
Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples
Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks
Prerequisites
Time Estimate
15-30 minutes to install and see first useful output
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.
✗ Avoid when
Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-code-signing-for-artifacts has been reliable in day-to-day use. Documentation quality is above average for community skills.
We added implementing-code-signing-for-artifacts from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: implementing-code-signing-for-artifacts is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added implementing-code-signing-for-artifacts from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: implementing-code-signing-for-artifacts is focused, and the summary matches what you get after install.
implementing-code-signing-for-artifacts reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-code-signing-for-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
implementing-code-signing-for-artifacts reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-code-signing-for-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
I recommend implementing-code-signing-for-artifacts for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 56