II.
Workflow overview
Reference · liveworkflow:artifact-signing-and-provenance
Artifact Signing and Provenance overview
Ensures every release artifact (container image, binary, SBOM) is cryptographically signed and accompanied by verifiable provenance metadata — configuring Sigstore/cosign or GPG signing in CI, generating SLSA provenance attestations, verifying signatures in deployment admission controllers, auditing key-rotation schedules, and validating that downstream consumers can verify provenance end-to-end. Produces a signing-compliance report. Excludes key-ceremony procedures.
Attributes
displayName
Artifact Signing and Provenance
workflowKind
security
triggerType
event-driven
typicalCadence
per-release
complexity
single-team
description
Ensures every release artifact (container image, binary, SBOM) is
cryptographically signed and accompanied by verifiable provenance
metadata — configuring Sigstore/cosign or GPG signing in CI, generating
SLSA provenance attestations, verifying signatures in deployment admission
controllers, auditing key-rotation schedules, and validating that
downstream consumers can verify provenance end-to-end. Produces a
signing-compliance report. Excludes key-ceremony procedures.
Outgoing edges
applies_to_domain2
- domain:devops·DomainDevOps
- domain:security·DomainSecurity
involves_role3
- role:security-engineer·RoleSecurity Engineer
- role:devops-engineer·Role
- role:release-manager-bot·RoleRelease Manager (Bot)
performed_by_org_unit2
- org-unit:release-engineering·OrgUnitRelease Engineering
- org-unit:application-security-team·OrgUnitApplication Security Team
requires_skill_area2
- skill-area:gitops·SkillArea
- skill-area:signature-schemes·SkillAreaDigital Signature Schemes
triggers_responsibility2
- responsibility:release-coordination·Responsibility
- responsibility:security-review·ResponsibilitySecurity review
Incoming edges
None.