As part of our ongoing efforts to enhance security and trust in the Central repository ecosystem, we are introducing Sigstore signature validation in the Central Publisher Portal. Sigstore is a project that aims to create a standardized, modern approach to securing the software supply chain. It works in much the same way that PGP signatures work, but with the intent of having a smoother setup process and easier auditing process for consumers.
This update ensures that developers who sign their artifacts with Sigstore can verify that their signatures are correctly validated before distribution. While Sigstore signatures remain optional for now, this is an important step toward modernizing artifact verification and improving the security of software supply chains.
What's New?
In our previous update, we announced support for publishing Sigstore signature files. Now, we're taking the next step: validating those signatures as part of the publishing process.
If you're new to Sigstore, check out their official documentation to learn how to sign artifacts.
Key Highlights of This Change
-
Sigstore signatures are now validated when publishing artifacts via the Central Publisher Portal.
-
Warnings will appear for invalid Sigstore signatures — helping publishers identify and resolve issues early.
-
PGP signatures remain fully supported and required, and we are not replacing them.
-
Sigstore signatures are still optional at this time, but invalid ones will eventually block deployments.
-
This lays the groundwork for future attestations. As the ecosystem matures, we may introduce in-toto attestations or similar mechanisms to strengthen software supply chain security further.
Over time, we plan to refine this integration and explore additional verification methods, such as in-toto attestations, to provide even stronger assurances about the provenance of published artifacts.
Why This Matters
Sigstore provides a modern, streamlined approach to cryptographic signing and verification. Integrating validation directly into our publishing workflow makes it easier for developers to adopt Sigstore while improving supply chain security for the entire Java ecosystem.
We encourage publishers to sign with Sigstore today. Not only does this improve artifact integrity, but it also helps future-proof your publishing process as security standards evolve.
As we refine this integration, we'd love to hear your feedback. Let us know how this update impacts your publishing workflow and what additional security features you'd like to see. We're excited to see how the community adopts this new capability!
For full details, check out the official announcement.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.