Keyless Signing for .NET: Sigstore Internals and the Case for a Managed Client
Sigstore removes the hardest part of code signing — long-lived key management — by binding signatures to short-lived certificates issued against OIDC identities, and recording every signing event in a public transparency log. npm ships Sigstore-backed provenance, PyPI accepts attestations, Kubernetes signs its releases with it. Official client libraries exist for Go, Python, Java, JavaScript, and Rust. .NET was the gap. sigstore-dotnet (docs, Sigstore.Net on NuGet) closes it with a fully managed implementation of the Sigstore client specification. This post covers what the protocol actually does on the wire, and why a native library — not a shelled-out CLI — is the right integration point. ...