:
Skip Navigation
Resources Blog Central Publisher Portal now validates Sigstore signatures

Central Publisher Portal now validates Sigstore signatures

Central Publisher Portal now validates Sigstore signatures
2:46

As part of our ongoing efforts to enhance security and trust in the Central repository ecosystem, we are introducing Sigstore signature validation in the Central Publisher Portal. Sigstore is a project that is attempting to create a standardized, modern approach to securing the software supply chain. It works in much the same way that PGP signatures work but with the intent of having a smoother setup process and easier auditing process for consumers.

This update ensures that developers who sign their artifacts with Sigstore can verify that their signatures are correctly validated before distribution. While Sigstore signatures remain optional for now, this is an important step toward modernizing artifact verification and improving the security of software supply chains.

What's new?

In our previous update, we announced support for publishing Sigstore signature files. Now, we're taking the next step: validating those signatures as part of the publishing process.

If you're new to Sigstore, check out their official documentation to learn how to sign artifacts.

Key highlights of this change

  • Sigstore signatures are now validated when publishing artifacts via the Central Publisher Portal.

  • Warnings will appear for invalid Sigstore signatures — helping publishers identify and resolve issues early.

  • PGP signatures remain fully supported and required, and we are not replacing them.

  • Sigstore signatures are still optional at this time, but invalid ones will eventually block deployments.

  • This lays the groundwork for future attestations. As the ecosystem matures, we may introduce in-toto attestations or similar mechanisms to strengthen software supply chain security further.

Over time, we plan to refine this integration and explore additional verification methods, such as in-toto attestations, to provide even stronger assurances about the provenance of published artifacts.

Why this matters

Sigstore provides a modern, streamlined approach to cryptographic signing and verification. Integrating validation directly into our publishing workflow makes it easier for developers to adopt Sigstore while improving supply chain security for the entire Java ecosystem.

We encourage publishers to start signing with Sigstore today. Not only does this improve artifact integrity, but it also helps future-proof your publishing process as security standards evolve.

As we refine this integration, we'd love to hear your feedback. Let us know how this update impacts your publishing workflow and what additional security features you'd like to see. We're excited to see how the community adopts this new capability!

For full details, check out the official announcement.

Picture of Brian Fox

Written by Brian Fox

Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a ...