#19DELIVERYPACKAGEElite
Artifact Signing
Cryptographic verification
Hard
Overview
Cryptographically sign artifacts to ensure authenticity and detect tampering. Only signed artifacts can be deployed.
Why It Matters
Verify artifacts haven't been tampered with. Only deploy what you built.
The Risk
Without signing, attackers can substitute malicious artifacts. Compromised registries can serve poisoned images. You can't verify that deployed artifacts are what your build system produced.
Implementation Components
A complete implementation of this capability includes:
- Key management infrastructure for signing keys
- Automated signing during artifact creation
- Signatures stored alongside artifacts
- Deployment-time signature verification
- Key rotation procedures
- Audit log of all signing operations
Implementation Pattern
- 1Generate signing keys
- 2Sign artifacts during build
- 3Store signatures
- 4Verify before deploy
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Enhanced by (more effective with)
Enables (unlocks)
Same Phase
Other capabilities in this pipeline phase