sigstore-dotnet

Managed .NET client library for Sigstore bundle signing and verification — pure managed code, no native binaries, no unsafe. Targets .NET 8, 9, and 10.

What is Sigstore?

Sigstore is a Linux Foundation project for keyless software signing. Instead of managing long-lived private keys, signers prove their identity to an OIDC provider (GitHub Actions, Google, Microsoft, etc.) and receive a short-lived X.509 certificate from Fulcio. Every signing event is recorded in Rekor, a public Merkle-tree transparency log. The trust roots are distributed via TUF.

The result: signing becomes a free CI step, identities are real and verifiable, and any consumer can audit what was signed, by whom, and when — no private PKI required.

Why a .NET implementation?

The Sigstore project ships first-class clients for Go, Java, and Python. For .NET, the historical options were to shell out to cosign or P/Invoke into sigstore-go — both bring native dependencies and complicate deployment. sigstore-dotnet is a pure managed implementation that runs everywhere .NET runs, integrates with Microsoft.Extensions.DependencyInjection and IOptions<T>, and is fully cross-client interoperable with cosign and sigstore-python.

Quick links

• Introduction to Sigstore — concepts, architecture, why .NET
• Getting Started — install and first sign/verify
• Cosign Integration — container image workflow
• Architecture — verification and signing pipelines
• API Reference — auto-generated from XML doc comments
• Contributors — everyone who has contributed
• Stats — downloads, stars, release cadence, security score
• GitHub Repository
• NuGet Package

Verified

• 132/132 sigstore-conformance tests passing — zero xfails
• 15 cross-client interop tests (sign with cosign, verify with .NET, etc.)
• 82 unit tests across .NET 8, 9, and 10